Advisory ID: NCC-CSIRT-2025-019

Summary: 

Europol and Eurojust have dismantled a cybercrime-as-a-service (CaaS) network, Operation SIMCARTEL, which operated large-scale SIM-farm systems used to create over 49 million fake online accounts across more than 80 countries. In Nigeria and West Africa, similar operations threaten KYC integrity, telecom infrastructure, and financial systems, facilitating smishing, phishing, money-mule schemes, and social-media manipulation. Telecom operators, fintech platforms, and regulators must assume that phone numbers can be rented or abused at scale and strengthen verification, detection, and onboarding controls.

Damage/Probability: Critical/High

Product(s): 

• Mobile network services (SIM cards, SMS/MMS delivery, voice)
• Mobile Virtual Network Operators (MVNOs), retail SIM distribution channels
• Online services relying on phone-number verification (social media, messaging apps, Fintech, e-commerce)
• SMS gateway providers and aggregators

Version(s): 

Not version-specific (Telecom operations, KYC and provisioning processes, Verification services)

Platform(s): 

• Mobile networks (GSM/3G/4G/5G)
• SMS/SS7/SS8/SS7-like routing infrastructure
• Web platforms using phone verification, number-rental marketplaces

Description: 

SIM farms are collections of GSM modems and SIM cards used to automate OTP receipt and account registration. They enable criminals to bypass phone verification and conduct large-scale fraud. In Nigeria, this threat can support financial fraud and phishing schemes, election-related disinformation, bulk SMS scams, and exploitation of weak SIM registration and KYC enforcement. Enhanced telecom monitoring, cross-sector collaboration, and strict KYC compliance are essential to mitigate this risk.

Impacts: 

• Fraudulent fintech and bank accounts opened with rented SIMs.
• Smishing campaigns using new numbers to evade blacklists.
• Large-scale fake social-media profiles spreading scams and misinformation.
• Weakening of phone-based verification and erosion of trust in KYC systems.
• Regulatory and reputational risks for operators enabling number abuse.

Solutions: 

References:

• https://thehackernews.com/2025/10/europol-dismantles-sim-farm-network.html

• https://www.europol.europa.eu/media-press/newsroom/news/cybercrime-service-takedown-7-arrested

• https://cyberscoop.com/europol-dismantles-cybercime-network-sim-boxes-fraud/

• https://therecord.media/europe-sim-farms-raided-latvia-austria-estonia

• https://www.bleepingcomputer.com/news/security/europol-dismantles-sim-box-operation-renting-numbers-for-cybercrime/

Advisory ID: NCC-CSIRT-2025-018

Summary: 

Researchers have discovered ClayRat, a new Android spyware disguised as popular apps like WhatsApp and TikTok. It spreads through Telegram and fake websites, stealing messages, photos, and other personal data. The malware can also take secret pictures and send malicious links to contacts, making it hard to detect and remove. 

Damage/Probability: Critical/High

Product(s): 

• Android mobile devices (APK (Android Package Kit) side-loaded or installed from untrusted stores / Telegram channels)
• Popular mobile app brands used as lures (WhatsApp, TikTok, YouTube, Google Photos)

Version(s): 

Not version-specific, it affects affects Android devices where a malicious APK is installed and granted required roles/permissions.

Platform(s): 

• Android OS (various versions).
• Devices with SMS/notification privileges and browsers/Telegram clients used to download APK droppers.

Description: 

Zimperium security researchers have discovered a new Android spyware called ClayRat, which pretends to be popular apps like WhatsApp, TikTok, YouTube, and Google Photos. The attackers share these fake apps through Telegram channels and phishing websites, often using lookalike domains and fake reviews to appear genuine.

When users download and install these fake apps manually, they are tricked into giving the spyware special permissions, such as access to text messages and notifications. This allows ClayRat to read messages (including security codes), check call logs, view contacts, take photos, and send stolen data to the attackers’ servers. It can also send harmful links to the victim’s contacts, spreading the infection further.

The malware is constantly changing, with over 600 different versions found in just a few months. It also uses advanced hiding techniques to avoid detection by antivirus software, making it difficult to remove once installed. Because it spreads through public channels like Telegram, the spyware can reach a large number of victims very quickly.

Impacts: 

• Disclosure of sensitive communications (SMS, verification codes) and account takeover risk.
• Loss of privacy (photos, location, microphone/camera capabilities).
• Rapid lateral spread via messages to contacts and Telegram channels, increasing scale of compromise.
• Potential secondary payloads installed by the loader (additional RATs, credential stealers).

Solutions: 

1. Deploy Mobile Threat Defense (MTD) and Google Play Protect to detect malicious APKs and abnormal behaviors.
2. Validate apps against an approved allowlist; remove any mismatched packages immediately.
3. Block malicious domains, phishing sites, and suspicious Telegram channels at the DNS/network level.
4. Disable side-loading on managed devices; allow installations only from the Play Store or enterprise app store.
5. For suspected devices, remove unknown APKs, revoke sensitive permissions, rotate credentials, and enforce phishing-resistant MFA.
6. Isolate and analyze compromised devices, collecting relevant artifacts for forensics.
7. Educate users to avoid installing apps from untrusted links or channels and to verify app sources.
8. Keep MTD/antivirus and EDR signatures updated and configure alerts for suspicious app or SMS-handler activities.

References:

• https://www.bleepingcomputer.com/news/security/new-android-spyware-clayrat-imitates-whatsapp-tiktok-youtube/

• https://zimperium.com/blog/clayrat-a-new-android-spyware-targeting-russia

• https://thehackernews.com/2025/10/new-clayrat-spyware-targets-android.html

• https://www.csoonline.com/article/4070281/clayrat-spyware-turns-phones-into-distribution-hubs-via-sms-and-telegram.html

• https://securityaffairs.com/183169/malware/clayrat-campaign-uses-telegram-and-phishing-sites-to-distribute-android-spyware.html

Advisory ID: NCC-CSIRT-2025-017

Summary: 

win.satacom is a family of Trojan-downloaders (also reported as Satacom / LegionLoader) that has been active since at least 2019. It functions primarily as a loader/downloader, installing follow-on payloads such as cryptocurrency-stealing browser extensions and information-stealers. Recent campaigns have delivered stealthy Chromium extensions that intercept web sessions and siphon cryptocurrencies from victims on exchange and web wallet pages. Microsoft Defender, Kaspersky, and other AV vendors detect variants of this family. 

Damage/Probability: High/High

Product(s): 

• Windows endpoints
• Chromium-based browsers (via malicious extensions)
• Downloader distribution chains (phishing, droppers, packers)

Version(s): 

Not version-specific, it affects Windows systems where the downloader is executed and Chromium browsers that accept malicious extensions.

Platform(s): 

• Microsoft Windows (x86/x64)
• Chromium browser families (Chrome, Edge, Brave, etc.)
• Common enterprise environments where browser-based crypto wallets are used

Description: 

Satacom acts as a downloader/dropper. After initial execution (often from a malicious installer, bundled software, or an obfuscated dropper), it contacts Command & Control servers to retrieve additional payloads and loaders. Variant analysis shows multiple string-deobfuscation and packing techniques.

Documented campaigns (2023 onward) show Satacom delivering malicious Chromium extensions engineered to perform web injections on crypto exchange and wallet pages to exfiltrate funds and session cookies. Other follow-on binaries observed include RedLine, other stealers, and loaders.

Variants use common downloader evasion (packing/obfuscation, staged encryption of strings, anti-analysis checks), persistence via scheduled tasks/startup entries, and fallback C2 techniques.

Campaigns have targeted users in multiple regions (e.g., Brazil, India, Indonesia, Turkey, Egypt and others in prior reporting) with a focus on users who transact in cryptocurrency.

Impacts: 

• Loss/theft of cryptocurrency from web wallets and exchange accounts via browser extension or web-inject attacks.
• Compromise of user credentials, session cookies, and stored secrets leading to account takeover (ATO).
• Persistent foothold through additional downloaded payloads (infostealers, RATs).
• Lateral movement in poorly segmented networks if follow-on payloads include remote access tools.

Solutions: 

1. Scan endpoints with up-to-date anti-malware signatures (Microsoft Defender, Kaspersky, Broadcom/Symantec, Fortinet, etc.). Microsoft Defender and other engines include detections for Satacom variants.
2. Monitor for suspicious child processes of browser and common installer processes, and for downloads from known malicious gateways.
3. Inspect installed Chromium extensions centrally (via endpoint management or browser management policies) and flag any extension installed outside official enterprise channels or having excessive permissions.
4. Employ End Point Detection and Response (EDR) mechanism to hunt for known behavior patterns
5. Quarantine and remove detected Satacom binaries; block related Command & Control domains/IPs at network perimeter and in DNS
6. Enforce browser extension policy, allow only approved extensions via enterprise browser management; remove all unapproved/unknown extensions; rotate credentials and revoke sessions for any accounts accessed from infected hosts.
7. For users with suspected exposure, reset passwords, enable phishing-resistant Multi Factor Authentication where possible, and move high-value crypto to cold storage or wallets with hardware isolation.

References:

• https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description/

• https://www.broadcom.com/support/security-center/protection-bulletin/satacom-malware-spreading-cryptocurrency-infostealers

• https://threats.kaspersky.com/en/threat/Trojan-Downloader.Win32.Satacom.zs/

• https://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/

• https://medium.com/%40tanmaymore06/reversing-satacom-decoding-c2-server-3696bfcb9111

Advisory ID: NCC-CSIRT-2025-016

Summary: 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding ongoing attacks targeting Cisco ASA and Firepower devices, urging organizations to identify, analyse, and patch critical vulnerabilities immediately. The flaws allow unauthenticated remote code execution, privilege escalation, and firmware manipulation to maintain persistence even after reboots or upgrades.

The exploitation, linked to the ArcaneDoor (Storm-1849) threat group, has already compromised at least ten organizations worldwide, including several U.S. federal agencies. CISA noted that attackers have demonstrated the ability to tamper with read-only memory components since 2024.

Damage/Probability: High/Critical

Product(s): 

• Cisco Adaptive Security Appliance (ASA) / ASA-based firewall software
• Cisco Firepower / Firepower Threat Defense (FTD) appliances
• End-of-support or legacy Cisco firewall hardware

Version(s): 

• Cisco ASA / ASA firmware versions (across supported and unsupported releases)
• Cisco Firepower / FTD software versions
• Legacy ASA hardware reaching end-of-support (e.g. certain 5500-X series)

Platform(s): 

On-premises firewall and network edge infrastructure running Cisco ASA / Firepower; management and web services exposed via VPN/web services interfaces.

Description: 

Through its Emergency Directive, CISA has officially recognized a “widespread” exploitation campaign targeting Cisco ASA and Firepower devices. (Cybersecurity Dive) The exploited vulnerabilities (notably CVE-2025-20333, CVE-2025-20362, and, in some disclosures, CVE-2025-20363) allow attackers to obtain unauthenticated remote code execution, escalate privileges, and, critically, tamper with internal device firmware (read-only memory modules) so that malware or implants survive reboots and upgrades.

In practice, the attacker chain might proceed as follows:

1. Use CVE-2025-20333 to gain unauthenticated remote code execution on a vulnerable ASA / ASA-web services interface.
2. Use CVE-2025-20362 (privilege escalation) or other methods to gain full administrative/root privileges.
3. Modify ROM / firmware or boot components to embed malicious implants (e.g., replacing or altering ROMMON) so that control is retained across reboots, firmware upgrades, and factory resets.
4. Use the compromised firewall as a pivot point into internal networks, intercept or redirect traffic, or exfiltrate data.

Cisco itself has indicated that attackers utilized advanced evasion techniques, disabling logging, crashing devices to prevent diagnostic analysis, intercepting CLI commands, and tampering with boot mechanisms.

CISA’s directive notes that some ASA devices will reach end-of-support on 30 September 2025, and mandates their full decommissioning. The directive also mandates forensic core dumps, assessments of compromise, removal of compromised devices, upgrade or replacement of vulnerable systems, and reporting to CISA.

Impacts: 

• Complete compromise of firewall appliances, enabling attackers to intercept, reroute, or modify network traffic
• Persistence even after firmware upgrades/reboots, making detection and cleanup extremely difficult
• Lateral movement into downstream systems and network segments
• Exfiltration of sensitive data, credential theft, internal espionage
• Disruption of network security controls or denial of service
• Reputational/regulatory / compliance fallout for organizations relying on affected infrastructure

Solutions: 

1. Immediately inventory all Cisco ASA and Firepower / FTD devices in use, especially those with VPN or web services enabled.
2. Decommission / permanently disconnect ASA hardware that reaches or passes end-of-support (particularly those that go end-of-support on 30 Sept 2025).
3. For supported devices, immediately upgrade firmware/software to Cisco’s patched versions (apply latest updates and subsequent releases within 48 hours of availability).
4. Reset device configurations: treat all configurations, credentials, certificates, and keys as potentially compromised. Rebuild or reconfigure from scratch where possible after patching.
5. Segregate/restrict access: management and administrative interfaces should be accessible only from trusted internal networks or VPN tunnels; ensure no exposure to the public internet if not strictly necessary.
6. Monitor logs, traffic, and anomalies: flag unexpected firmware integrity deviations, abnormal traffic flows, or CLI/admin changes.
7. Report inventory, actions taken, and outcomes to the relevant oversight authority (for U.S. federal: to CISA) by the required deadline (by Oct 2, 2025, for inventory).
8. Engage in threat hunting and retrospective audits to identify whether lateral movement or secondary compromises have occurred.

What Organizations Should Do

Ensure that critical firewall and network infrastructure devices aren’t being overlooked; these are high-value targets.

1. Maintain an up-to-date inventory of network edge devices, firmware versions, and support status.
2. Subscribe to vendor security advisories and threat intelligence feeds; act on zero-day alerts quickly.
3. Introduce firmware integrity checks or attestation mechanisms where feasible.
4. Enforce the principle of least privilege and restrict management channel access.
5. Periodically rehearse incident response and evacuation of compromised infrastructure.

Train administrators to recognise signs of firmware/ROM tampering, as well as anomalies in firewall behaviour.

References:

• https://www.cybersecuritydive.com/news/cisa-emergency-directive-cisco-vulnerabilities-arcanedoor/761150/

• https://www.techradar.com/pro/security/us-government-tells-agencies-to-patch-cisco-firewalls-immediately-or-face-attack

• https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-cisco-flaws-exploited-in-zero-day-attacks/

• https://www.reuters.com/legal/litigation/us-sounds-alarm-over-hackers-targeting-cisco-security-devices-2025-09-25/

• https://www.axios.com/2025/09/25/us-agencies-cisco-firewalls-hacks-breaches