{"id":378,"date":"2026-03-26T17:03:15","date_gmt":"2026-03-26T17:03:15","guid":{"rendered":"https:\/\/cybercolombia.co\/index.php\/2026\/03\/26\/pqc-push-ai-vuln-hunting-pirated-traps-phishing-kits-20-more-stories-cyberdefensa-mx\/"},"modified":"2026-03-26T17:03:15","modified_gmt":"2026-03-26T17:03:15","slug":"pqc-push-ai-vuln-hunting-pirated-traps-phishing-kits-20-more-stories-cyberdefensa-mx","status":"publish","type":"post","link":"https:\/\/cybercolombia.co\/index.php\/2026\/03\/26\/pqc-push-ai-vuln-hunting-pirated-traps-phishing-kits-20-more-stories-cyberdefensa-mx\/","title":{"rendered":"PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits & 20 More Stories \u2013 CYBERDEFENSA.MX"},"content":{"rendered":"
\n

Some weeks in security feel loud. This one feels sneaky. Less big dramatic fireworks, more of that slow creeping sense that too many people are getting way too comfortable abusing things they probably shouldn\u2019t even be touching.<\/p>\n

There\u2019s a little bit of everything in this one, too. Weird delivery tricks, old problems coming back in slightly worse forms, shady infrastructure doing shady infrastructure things, and the usual reminder that if criminals find a workflow annoying, they\u2019ll just make a new one by Friday. Efficient little parasites. You almost have to respect the commitment.<\/p>\n

A few of these updates have that nasty \u201cyeah, that tracks\u201d energy. Stuff that sounds niche right up until you picture it landing in a real environment with real users clicking real nonsense because they\u2019re busy and tired and just trying to get through the day. Then it stops being abstract pretty fast.<\/p>\n

So yeah, this week\u2019s ThreatsDay Bulletin is a solid scroll-before-you-log-off kind of read. Nothing here needs a full panic spiral, but some of it definitely deserves a raised eyebrow and maybe a muttered: \u201cOh come on.\u201d Let\u2019s get into it.<\/p>\n

\n
\n
    \n
  1. \n <\/p>\n
    \n PQC migration fast-tracked<\/span><\/p>\n

    \n Google has unveiled a 2029 timeline to secure the quantum era with post-quantum cryptography (PQC) migration, urging other engineering teams to follow suit. \u00abThis new timeline reflects migration needs for the PQC era in light of progress on quantum computing hardware development, quantum error correction, and quantum factoring resource estimates,\u00bb the tech giant said<\/a>. \u00abQuantum computers will pose a significant threat to current cryptographic standards, and specifically to encryption and digital signatures. The threat to encryption is relevant today with store-now-decrypt-later attacks, while digital signatures are a future threat that require the transition to PQC prior to a Cryptographically Relevant Quantum Computer (CRQC). That\u2019s why we\u2019ve adjusted our threat model to prioritize PQC migration for authentication services.\u00bb As part of the effort, the company said Android 17 is integrating PQC digital signature protection using the Module-Lattice-Based Digital Signature Algorithm (ML-DSA<\/a>). This includes<\/a> upgrading the Android Verified Boot (AVB) with support for ML-DSA to ensure that the software loaded during the boot sequence remains highly resistant to unauthorized tampering. The second PQC upgrade concerns the transition of Remote Attestation to a fully PQC-compliant architecture and updating Android Keystore to natively support ML-DSA.\n <\/p>\n<\/div>\n<\/li>\n

  2. \n <\/p>\n
    \n AI finds hidden vulns<\/span><\/p>\n

    \n GitHub said it\u2019s introducing AI-powered security detections in GitHub Code Security to expand application security coverage across more languages and frameworks. \u00abThese detections complement CodeQL by surfacing potential vulnerabilities in areas that are difficult to support with traditional static analysis alone,\u00bb GitHub said<\/a>. \u00abThis hybrid detection model helps surface vulnerabilities \u2013 and suggested fixes \u2013 directly to developers within the pull request workflow.\u00bb The Microsoft subsidiary said the move is designed to uncover security issues \u00abin areas that are difficult to support with traditional static analysis alone.\u00bb The new hybrid model is expected to enter public preview in early Q2 2026.\n <\/p>\n<\/div>\n<\/li>\n

  3. \n <\/p>\n
    \n Pirated apps spread backdoors<\/span><\/p>\n

    \n The Russian threat actor known as Sandworm (aka APT-C-13) has been attributed with moderate confidence to an attack campaign that leverages pirated versions of legitimate software like Microsoft Office (\u00abMicrosoft.Office.2025\u00d764.v2025.iso\u00bb) as lures to deliver different backdoors tracked as Tambur, Sumbur, Kalambur, and DemiMur to high-value targets. It\u2019s assessed that these attacks use Telegram as a distribution vector, using social engineering tactics to target Ukrainian users seeking software cracks. Tambur is designed to spawn SSH reverse tunnels to issue malicious commands, while Kalambur revolves around intranet penetration, remote desktop (RDP) takeover, and persistent communication. Sumbur is a successor to Kalambur with improved obfuscation techniques. DemiMur is mainly used to tamper with the trust chain and evade detection. \u00abAttackers use this module to force the import of a forged DemiMurCA.crt root certificate into the operating system\u2019s trusted root certificate authority store,\u00bb the 360 Advanced Threat Research Institute said<\/a>. \u00abWhen subsequent scripts are executed, Windows automatically verifies the validity of the signature block and deems it \u2018trusted.’\u00bb\n <\/p>\n<\/div>\n<\/li>\n

  4. \n <\/p>\n
    \n Fake extension drains wallets<\/span><\/p>\n

    \n A cryptocurrency scam called ShieldGuard claimed to be a blockchain project that presented itself as a security tool aimed at protecting crypto wallets from phishing and harmful smart contracts through a browser extension. Ironically, further analysis revealed that it was built to drain digital assets from wallets. The scam was advertised via a dedicated website (\u00abshieldguards[.]net\u00bb), as well as an X account (@ShieldGuardsNet) and a Telegram channel (@ShieldsGuard). \u00abThe project was promoted using a multi-level marketing campaign in which users would be rewarded for early use of the extension (via a cryptocurrency \u2018airdrop\u2019) and for promoting the capability to other users,\u00bb Okta said<\/a>. \u00abShieldGuard appears designed to harvest wallet addresses and other sensitive data for major cryptocurrency platforms including Binance, Coinbase, MetaMask, OpenSea, Phantom and Uniswap, as well as for users of Google services. The extension also extracts the full HTML of pages after a user signs into Binance, Coinbase, OpenSea or Uniswap via their browser.\u00bb The threat actor behind the activity is assessed to be Russian-speaking.\n <\/p>\n<\/div>\n<\/li>\n

  5. \n <\/p>\n
    \n Firmware backdoor spreads globally<\/span><\/p>\n

    \n Sophos said it identified multiple detections on Android devices for malicious activity associated with the Keenadu backdoor. \u00abKeenadu is a firmware infection embedded in the libandroid_runtime.so (shared object library) that injects itself into the Zygote process,\u00bb the company said<\/a>. \u00abAs Zygote is the parent process for all Android apps, an attacker effectively gains total control over an infected device.\u00bb Keenadu acts as a downloader for second-stage malware, with the infected devices containing two system-level APK files: PriLauncher.apk and PriLauncher3QuickStep.apk. Over 500 unique compromised Android devices across nearly 50 models have been detected as of March 4, 2026. The devices are mostly low-cost models produced by Allview, BLU, Dcode, DOOGEE, Gigaset, Gionee, Lava, and Ulefone. The identified infections were spread globally, with devices located in 40 countries.\n <\/p>\n<\/div>\n<\/li>\n

  6. \n <\/p>\n
    \n Phishing service quickly rebounds<\/span><\/p>\n

    \n In early March, Europol and Microsoft announced the seizure of 330 active Tycoon2FA domains and legal action against multiple individuals linked to the PhaaS. According to CrowdStrike, the takedown effort left only a minor dent in Tycoon2FA\u2019s operations, which are now back to pre-disruption levels. On March 4 and 5, following the law enforcement operation, Tycoon2FA activity volume dropped to roughly 25%, but returned to previous levels shortly after, with \u00abdaily levels of cloud compromise active remediations returning to early 2026 levels,\u00bb CrowdStrike said<\/a>. \u00abAdditionally, Tycoon2FA\u2019s TTPs have not changed following the takedown, indicating that the service\u2019s operations may persist beyond this disruption.\u00bb These TTPs include phishing emails directing to malicious CAPTCHA pages, session cookie theft upon CAPTCHA validation, use of JavaScript payloads for email address extraction, credential proxying via malicious JavaScript files, and use of stolen credentials to access the victims\u2019 cloud environments. Post-disruption campaigns have leveraged malicious URLs, URL shortener services, links to legitimate presentation software that include malicious redirects to Tycoon2FA infrastructure, and attacker-controlled infrastructure impersonating construction entities, and compromised SharePoint infrastructure from known contacts that retrieves XLSX and PDF files. The short-lived disruption is proof that without arrests or physical seizures, it\u2019s easy for cybercriminals to recover and replace the impacted infrastructure.\n <\/p>\n<\/div>\n<\/li>\n

  7. \n <\/p>\n
    \n Fake invites deliver remote access<\/span><\/p>\n

    \n Phishing campaigns are weaponizing fake meeting invites for various video conference applications, including Zoom, Microsoft Teams, and Google Meet, to distribute remote access tools. \u00abThe attackers trick corporate users to execute the payload by claiming a mandatory software update is required to join the video call, redirecting victims to typo-squatted domains, such as zoom-meet.us,\u00bb Netskope said<\/a>. \u00abThe payload, disguised as a software update, is a digitally signed remote monitoring and management (RMM) tool such as Datto RMM, LogMeIn, or ScreenConnect. These tools enable attackers to remotely access victims\u2019 machines and gain full administrative control over their endpoints, potentially leading to data theft or the deployment of more destructive malware.\u00bb\n <\/p>\n<\/div>\n<\/li>\n

  8. \n <\/p>\n
    \n Fileless stealer via phishing<\/span><\/p>\n

    \n Attackers are using copyright-infringement notices in a fileless phishing campaign targeting healthcare and government organizations in Germany and Canada that delivers the PureLogs data-stealing malware. \u00abThe attack likely relies on phishing emails that lure victims into downloading a malicious executable tailored to the victim\u2019s local language,\u00bb Trend Micro said<\/a>. \u00abOnce executed, the malware deploys a multistage infection chain designed for evasion. Notably, it downloads an encrypted payload disguised as a PDF file, then retrieves the decryption password remotely from attacker-controlled infrastructure. The extracted payload launches a Python-based loader that decrypts and executes the final .NET PureLogs stealer malware in memory.\u00bb The Python dropper specifically leverages two .NET loaders to load the stealer malware, with one acting as a backup in case either of them is blocked or killed by an endpoint control. The routine also incorporates anti-virtual machine techniques to evade automated analysis environments, as well as employs in-memory execution to complicate detection efforts. \u00abBy disguising malicious executables as legal notices, using encrypted payloads masquerading as PDF files, remotely retrieving dynamic decryption keys, and leveraging a renamed WinRAR utility for extraction, the operators effectively minimize static indicators and hinder automated analysis,\u00bb the company added. \u00abThe Python-based loader and dual .NET loaders introduce redundancy and fileless execution pathways, ensuring that the final PureLog Stealer payload is launched reliably and without leaving artifacts on disk.\u00bb\n <\/p>\n<\/div>\n<\/li>\n

  9. \n <\/p>\n
    \n MS-SQL attacks deploy scanner<\/span><\/p>\n

    \n The Larva-26002 threat actor continues to target improperly managed MS-SQL servers. \u00abIn January 2024, the Larva-26002 threat actor attacked MS-SQL servers to install the Trigona and Mimic ransomware,\u00bb AhnLab said<\/a>. In the latest attacks, the threat actors exploited the Bulk Copy Program (BCP) utility of MS-SQL servers to stage the malware locally and deploy a scanner malware named ICE Cloud Client. Written in Go, it functions as both a scanner and a brute-force tool to break into susceptible MS-SQL servers. \u00abThe strings contained in the binary are written in Turkish, and the emoticons used suggest that the author utilized generative AI,\u00bb the company added.\n <\/p>\n<\/div>\n<\/li>\n

  10. \n <\/p>\n
    \n Bug lets attackers fake rankings<\/span><\/p>\n

    \n New research has flagged a critical vulnerability in ClawHub, a skills marketplace for OpenClaw, that an attacker could exploit to position their skill as the #1 skill. The flaw stems from the fact that a download counter function named \u00abincrement(),\u00bb which is used to keep track of skill downloads, was exposed as a public mutation rather than an internal private function. Without authentication, rate limiting, or deduplication mechanisms in place, an attacker could continuously trigger the endpoint to artificially inflate the download metric for a given skill. \u00abAn attacker can call downloads:increment with a single curl request with any valid skill ID, bypassing every protection in the download flow and inflating any skill\u2019s downloads counter without limit,\u00bb security researcher Noa Gazit said<\/a>. By gaming the rankings, the threat actor could device an unsuspecting developer into installing malicious skills. The issue has since been mitigated by ClawHub<\/a> following responsible disclosure by Silverfort on March 16, 2026.\n <\/p>\n<\/div>\n<\/li>\n

  11. \n <\/p>\n
    \n npm packages steal crypto keys<\/span><\/p>\n

    \n Five newly discovered malicious npm packages have been found to typosquat a legitimate cryptocurrency library and exfiltrate private keys to a single hard-coded Telegram bot. All the packages, ethersproject-wallet, base-x-64, bs58-basic, raydium-bs58, and base_xd, were published under the account \u00abgaledonovan.\u00bb According to Socket<\/a>, \u00abeach package hooks a function that developers routinely pass private keys through. When that function is called at runtime, the package silently sends the key to a Telegram bot before returning the expected result. The user\u2019s code behaves normally, and there is no visible error or side effect.\u00bb\n <\/p>\n<\/div>\n<\/li>\n

  12. \n <\/p>\n
    \n Google Forms deliver malware<\/span><\/p>\n

    \n A Google Forms campaign is using business-related lures, such as job interviews, project briefs, and financial documents, to distribute malware, including the PureHVNC remote access trojan (RAT). \u00abInstead of the usual phishing email or fake download page, attackers are using Google Forms to kick off the infection chain,\u00bb Malwarebytes said<\/a>. \u00abThe attack typically begins when a victim downloads a business-themed ZIP file linked from a Google Form. Inside is a malicious file that sets off a multi-stage infection process, eventually installing malware on the system.\u00bb Another campaign has been observed<\/a> using obfuscated Visual Basic Script (VBScript) files to deliver PhantomVAI Loader via PNG image files hosted on Internet Archive to ultimately install Remcos RAT and XWorm.\n <\/p>\n<\/div>\n<\/li>\n

  13. \n <\/p>\n
    \n APT targets Web3 support teams<\/span><\/p>\n

    \n A sophisticated, multi-stage malware campaign directed at customer support staff working for Web3 companies is leveraging<\/a> suspicious links sent via customer support chat to initiate an attack chain that delivers a malicious executable disguised as a photograph, which then retrieves a second-stage loader from an AWS S3 dead drop. This loader proceeds to retrieve an implant named Farfli (aka Gh0st RAT) that\u2019s launched via DLL side-loading to establish persistent communication with threat actor-controlled infrastructure. The campaign has been attributed to APT-Q-27 (aka GoldenEyeDog), a financially motivated threat group<\/a> suspected to be operating out of China since at least 2022. A similar campaign involving the distribution of sketchy links via Zendesk was documented<\/a> by CyStack last month. The techniques observed include staging payloads inside a directory designed to resemble a Windows Update cache, DLL side-loading, and in-memory execution of the final backdoor. The end goal is to reduce on-disk footprints, blend into normal system behaviour, and make retrospective detection harder.\n <\/p>\n<\/div>\n<\/li>\n

  14. \n <\/p>\n
    \n Cloud phones fuel fraud economy<\/span><\/p>\n

    \n Cloud phones are internet-based virtual phone systems powered by Android that allow users to send and receive voice calls, messages, and access features just like a physical device. While early fraud waves leveraged \u00abvirtual\u00bb Android devices hosted on physical phone farms for social media engagement manipulation, fake app reviews and installs, SMS spam, and ad fraud, subsequent iterations have evolved into cloud-based virtual mobile infrastructures that use emulators to mimic phone behavior. Along with it expanded the abuse of cloud phones \u2013 sold in the form of phone box devices \u2013 for financial fraud<\/a> expanded. Threat actors can buy, sell, and move cloud phones with pre-loaded e-wallets and pre-verified bank cards and accounts for use in Account TakeOver (ATO) and Authorized Push Payment (APP<\/a>) scams, Group-IB said. In this scheme, unsuspecting users are tricked into providing their personal banking credentials to fraudsters impersonating bank workers or government officials in order to complete the verification process on the fraudsters\u2019 cloud phone. These cloud phone devices with configured bank cards and accounts are then sold to other parties on darknet markets. \u00abMajor cloud phone platforms like LDCloud, Redfinger, and GeeLark offer device rentals for as little as $0.10-0.50 per hour, making fraud infrastructure accessible to anyone with minimal capital investment,\u00bb the company added<\/a>. \u00abDarknet markets actively trade pre-verified dropper accounts created on cloud phones, with Revolut and Wise accounts priced at $50-200 each, often including continued access to the cloud phone instance.\u00bb\n <\/p>\n<\/div>\n<\/li>\n

  15. \n <\/p>\n
    \n 500K+ IIS servers outdated<\/span><\/p>\n

    \n The Shadowserver Foundation said<\/a> it\u2019s seeing over 511,000 end-of-life Microsoft IIS instances in its daily scans, out of which over 227,000 instances are beyond the official Microsoft Extended Security Updates (ESU) period. Most of them are located in China, the U.S., France, the U.K., Italy, Brazil, India, Japan, Australia, and Russia.\n <\/p>\n<\/div>\n<\/li>\n

  16. \n <\/p>\n
    \n CCTV abuse triggers crackdown<\/span><\/p>\n

    \n Indian authorities have ordered<\/a> a comprehensive audit of CCTV systems across the nation following the exposure of a Pakistan-linked spy network that exploited surveillance cameras for espionage purposes. The solar-powered devices, installed at various railway stations and other important infrastructure, allegedly transmitted live footage to handlers linked to Pakistan\u2019s Inter-Services Intelligence (ISI). The Indian government has outlined<\/a> measures to strengthen the security of CCTV systems, such as mandatory documentation of the origin of critical components, testing of devices against vulnerabilities that could allow unauthorized remote access, and testing of devices for compliance. In tandem, at least 22 people have been arrested<\/a> in connection with a Pakistan-linked network that engaged in reconnaissance activity. This included five men and a woman who have been accused of taking photos and videos of railway stations and military bases and sending them to handlers in Pakistan. These individuals were recruited through social media and encrypted messaging apps, luring them with payments ranging from \u20b95,000 to \u20b920,000 per \u00abassignment.\u00bb Compromised CCTV systems can facilitate military operations and intelligence gathering. During the U.S.\u2013Israel\u2013Iran conflict last month, Check Point Research found a sharp surge in exploitation attempts targeting IP cameras by Iran-affiliated threat actors.\n <\/p>\n<\/div>\n<\/li>\n

  17. \n <\/p>\n
    \n TDS routes victims to scams<\/span><\/p>\n

    \n A new traffic distribution (TDS) codenamed TOXICSNAKE<\/a> has been used to route victims to phishing, scam funnels, or malware payloads. The attacks begin with a first-stage JavaScript loader that\u2019s capable of fingerprinting a site visitor, and either returns a redirect URL or a link to a malicious payload.\n <\/p>\n<\/div>\n<\/li>\n

  18. \n <\/p>\n
    \n PowerShell ransomware evades EDR<\/span><\/p>\n

    \n In a new report, Halcyon has revealed that the custom built Crytox PowerShell Encryptor is able to evade endpoint detection and response (EDR) solutions without the need for additional tooling like HRSword. \u00abCrytox targeting continues to focus on virtual infrastructure (hypervisors, VM servers), entry via VPN exploitation, and manual hands-on-keyboard execution, which are all consistent with a deliberate, targeted operation rather than high-volume automated campaigns,\u00bb the company said<\/a>. The development comes as the INC ransomware group has claimed attacks against ten law firms and legal services organizations within a 48-hour period. \u00abThe volume, sector specificity, and timing of these postings suggest the possibility of a coordinated campaign or a shared upstream compromise, such as a supply chain event affecting a common legal technology provider or managed services vendor,\u00bb Halcyon noted<\/a>.\n <\/p>\n<\/div>\n<\/li>\n

  19. \n <\/p>\n
    \n Stealer exposes NK operator<\/span><\/p>\n

    \n New research from Hudson Rock has found<\/a> a machine belonging to the North Korea IT worker scheme that was accidentally infected with the Lumma Stealer malware after the local user downloaded malicious payloads when searching for GTA V cheats. Interestingly, the exfiltrated stealer logs contained corporate CDN credentials for Funnull, a content delivery network (CDN) that has been leveraged by state-sponsored actors. The operator used a \u00abmassive matrix of synthetic identities\u00bb across Western freelance platforms and global hosting providers, while also using five distinct Chrome profiles and one Edge profile to compartmentalize their operations. It\u2019s believed that the machine owner was either a willing facilitator (i.e., a laptop farm host based out of Indonesia) or a North Korean operative.\n <\/p>\n<\/div>\n<\/li>\n

  20. \n <\/p>\n
    \n Polyfill attack tied to DPRK<\/span><\/p>\n

    \n The 2024 Polyfill[.]io supply chain attack has been linked to North Korean threat actors after a North Korean operative made a fatal operational security (OPSEC) blunder by downloading a fake software setup file and infected their own machine with the Lumma Stealer. While the attack was initially linked to Funnull, Hudson Rock discovered<\/a> that the threat actor downloaded a password-protected ZIP archive hosted on MediaFire that was deceptively named to appear as a legitimate software installer. The evidence collected by the malware from the North Korean hacker\u2019s endpoint included credentials for the Funnull DNS management portal, credentials for the Polyfill Cloudflare tenant (proving that the weaponized domain was under the threat actor\u2019s control), and conversations regarding the malicious domain configuration changes made during the peak of the attack. While the threat actor used the \u00abBrian\u00bb persona to pull off the attack, they also mange other identities to conduct IT worker fraud by securing a gig at cryptocurrency exchange Gate and exploiting the access to obtain intelligence on their employer\u2019s security posture and understand blind spots in compliance systems. The same operative, under the \u00abWenyi Han\u00bb alias, is also said to have conducted strategic, state-sponsored data exfiltration, illustrating the severity of the IT worker threat.\n <\/p>\n<\/div>\n<\/li>\n

  21. \n <\/p>\n
    \n Court dismisses WhatsApp case<\/span><\/p>\n

    \n A U.S. judge granted a motion to dismiss a case against tech giant Meta brought by a former WhatsApp employee, Attaullah Baig, who accused the company of ignoring privacy and security issues, and putting users\u2019 information in danger. According to Courthouse News Service<\/a>, the judge said, \u00abthe complaint does not contain sufficient facts to show that the plaintiff reported violations of SEC rules or regulations, the plaintiff did not plead facts regarding the elements of securities fraud or wire fraud, and his reporting cybersecurity violations does not relate to rules governing internal accounting controls.\u00bb Meta said, \u00abMr. Baig\u2019s allegations misrepresent the hard work of our security team. We\u2019re proud of our strong record of protecting people\u2019s privacy and security, and will continue building on it.\u00bb\n <\/p>\n<\/div>\n<\/li>\n

  22. \n <\/p>\n
    \n Police gain password access powers<\/span><\/p>\n

    \n Hong Kong police can now demand phone or computer passwords from those who are suspected of breaching the National Security Law (NSL). Those who refuse to share the passwords could face up to a year in jail and a fine of up to $12,700, and individuals who provide \u00abfalse or misleading information\u00bb could face up to three years in jail. The amendments to the NSL ensure that \u00abactivities endangering national security can be effectively prevented, suppressed and punished, and at the same time the lawful rights and interests of individuals and organisations are adequately protected,\u00bb authorities said<\/a>.\n <\/p>\n<\/div>\n<\/li>\n

  23. \n <\/p>\n
    \n Android RAT sold as MaaS<\/span><\/p>\n

    \n A new Android RAT named Oblivion RAT is being sold as a malware-as-a-service (MaaS) platform on cybercrime networks for $300\/month. \u00abThe platform includes a web-based APK builder for the implant, a separate dropper builder that generates convincing fake Google Play update pages, and a C2 panel for real-time device control,\u00bb iVerify said<\/a>. \u00abPricing runs $300\/month, $700\/3 months, $1,300\/6 months, or $2,200 lifetime, with 7-day demo accounts available.\u00bb Oblivion is distributed via dropper APKs sent to victims as part of social engineering attacks. Once installed, the dropper apps present a Google Play update flow to sideload the embedded RAT payload. As with other Android malware families, Oblivion abuses Android\u2019s accessibility services API to grant itself additional permissions and steal sensitive data. \u00abThe core of the social engineering is the Accessibility Page builder, which generates a pixel-perfect replica of Android\u2019s accessibility service settings screen,\u00bb iVerify said. \u00abEvery text element is operator-controlled: page title, section headers, the Enable button, and a descriptive info message. When the victim taps Enable, they grant the implant\u2019s accessibility service full control over the device UI.\u00bb\n <\/p>\n<\/div>\n<\/li>\n<\/ol>\n<\/section>\n<\/div>\n

    Disruptions don\u2019t really stick anymore. Stuff gets taken down, shuffled around, then quietly comes back like nothing happened. Same tactics, slightly cleaner execution.<\/p>\n

    A lot of this leans on built-in trust. Familiar tools, normal flows, things people stop questioning. That gap between \u201clooks fine\u201d and \u201cdefinitely not fine\u201d is still doing most of the work.<\/p>\n

    Nothing here is shocking on its own. Put together, though, it\u2019s a bit uncomfortable. Scroll on.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

    Some weeks in security feel loud. This one feels sneaky. Less big dramatic fireworks, more of that slow creeping sense that too many people are getting way too comfortable abusing things they probably shouldn\u2019t even be touching. There\u2019s a little bit of everything in this one, too. Weird delivery tricks, old problems coming back in […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,5],"tags":[24,1315,1317,365,1316,37,1313,23,19,1314],"class_list":["post-378","post","type-post","status-publish","format-standard","hentry","category-noticias","category-trending","tag-cyberdefensa-mx","tag-hunting","tag-kits","tag-phishing","tag-pirated","tag-pqc","tag-push","tag-stories","tag-traps","tag-vuln"],"_links":{"self":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/378","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/comments?post=378"}],"version-history":[{"count":0,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/378\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/media?parent=378"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/categories?post=378"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/tags?post=378"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}