{"id":437,"date":"2026-04-02T14:30:47","date_gmt":"2026-04-02T14:30:47","guid":{"rendered":"https:\/\/cybercolombia.co\/index.php\/2026\/04\/02\/pre-auth-chains-android-rootkits-cloudtrail-evasion-10-more-stories-cyberdefensa-mx\/"},"modified":"2026-04-02T14:30:47","modified_gmt":"2026-04-02T14:30:47","slug":"pre-auth-chains-android-rootkits-cloudtrail-evasion-10-more-stories-cyberdefensa-mx","status":"publish","type":"post","link":"https:\/\/cybercolombia.co\/index.php\/2026\/04\/02\/pre-auth-chains-android-rootkits-cloudtrail-evasion-10-more-stories-cyberdefensa-mx\/","title":{"rendered":"Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories \u2013 CYBERDEFENSA.MX"},"content":{"rendered":"
\n

The\u00a0latest ThreatsDay Bulletin is basically a cheat sheet for everything breaking on the internet right now. No\u00a0corporate fluff or boring lectures here, just a quick and honest look at the messy reality of keeping systems safe this\u00a0week.<\/p>\n

Things\u00a0are moving fast. The\u00a0list includes researchers chaining small bugs together to create massive backdoors, old software flaws coming back to haunt us, and some very clever new tricks that let attackers bypass security logs entirely without leaving a trace. We\u00a0are also seeing sketchier traffic on the underground and the usual supply chain mess, where one bad piece of code threatens thousands of\u00a0apps.<\/p>\n

It\u00a0is definitely worth a quick scan before you log off for the day, if only to make sure none of this is sitting in your own network. Let\u2019s get into\u00a0it.<\/p>\n

\n
\n
    \n
  1. \n <\/p>\n
    \n Pre-auth RCE chain exposed<\/span><\/p>\n

    \n watchTower Labs has disclosed<\/a> two security flaws in Progress ShareFile (CVE-2026-2699 and CVE-2026-2701) that could be chained to achieve pre-authenticated remote code execution. While CVE-2026-2699 is an authentication bypass via the \u00ab\/ConfigService\/Admin.aspx\u00bb endpoint, CVE-2026-2701 refers to a case of post-authenticated remote code execution. An attacker could combine the two vulnerabilities to sidestep authentication and upload web shells. Progress released fixes for the vulnerabilities with Storage Zone Controller 5.12.4 released on March 10, 2026. There are about 30,000 internet-facing instances, making patching against the flaws crucial.\n <\/p>\n<\/div>\n

    \"\"<\/a><\/div>\n<\/li>\n
  2. \n <\/p>\n
    \n Rootkit spreads via 50+ apps<\/span><\/p>\n

    \n A new Android malware named NoVoice has been distributed via more than 50 apps that were downloaded at least 2.3 million times. While apps masqueraded as utilities, image galleries, and games, and offered the advertised functionality, the malware attempted to obtain root access on the device by exploiting 22 Android vulnerabilities that received patches between 2016 and 2021. \u00abIf the exploits succeed, the malware gains full control of the device,\u00bb McAfee Labs said<\/a>. \u00abFrom that moment onward, every app that the user opens is injected with attacker-controlled code. This allows the operators to access any app data and exfiltrate it to their servers.\u00bb The malware avoids infecting devices in certain regions, like Beijing and Shenzhen in China, and implements more than a dozen checks for emulators, debuggers, and VPNs. It then contacts a remote server to send device information and fetch appropriate exploits to gain root access and disable SELinux. Upon gaining elevated access, the rootkit modifies system libraries to facilitate the execution of malicious code when specific apps are opened, install arbitrary apps, and enable persistence. NoVoice has been found to share some level of overlap with Triada. One of the targeted apps is WhatsApp, which enabled the malware to harvest data from the app as soon as it was launched. Google has since removed the apps. The highest concentration of infections has been reported in Nigeria, Ethiopia, Algeria, India, and Kenya.\n <\/p>\n<\/div>\n<\/li>\n

  3. \n <\/p>\n
    \n FBI flags foreign app risks<\/span><\/p>\n

    \n The U.S. Federal Bureau of Investigation (FBI) is warning of the data security risks associated with foreign-developed mobile applications. \u00abAs of early 2026, many of the most downloaded and top-grossing apps in the United States are developed and maintained by foreign companies, particularly those based in China,\u00bb the FBI said<\/a>. \u00abThe apps that maintain digital infrastructure in China are subject to China\u2019s extensive national security laws, enabling the Chinese government to potentially access mobile app users\u2019 data.\u00bb The bureau also warned that these apps may harvest contact information under the pretext of inviting friends to use them, store personal data in Chinese servers, or contain malware that could collect data beyond what is authorized by the user. \u00abThis could include malicious code and hard-to-remove malware designed to exploit known vulnerabilities in various operating systems and insert a backdoor for escalated privileges, such as enabling the download and execution of additional malicious packages designed to provide unauthorized access to users\u2019 data,\u00bb it added. The FBI did not name the apps, but TikTok, Shein, Temu, and DeepSeek fit the profile.\n <\/p>\n<\/div>\n<\/li>\n

  4. \n <\/p>\n
    \n New bureau targets cyber threats<\/span><\/p>\n

    \n The U.S. State Department has officially launched the Bureau of Emerging Threats<\/a>, a new unit tasked<\/a> with protecting U.S. national security against cyber attacks against critical infrastructure, threats in the space domain, and misuse of artificial intelligence (AI) and other advanced technology risks from Iran, China, Russia, and North Korea.\n <\/p>\n<\/div>\n<\/li>\n

  5. \n <\/p>\n
    \n Cybercrime kingpin extradited<\/span><\/p>\n

    \n Li Xiong, the former chairman of a Cambodian financial conglomerate, HuiOne<\/a>, has been extradited to China. He has been accused of operating gambling dens, fraud, unlawful business operations, and money laundering. According to Xinhua<\/a>, Li is said to be a key member of the transnational cybercrime syndicate masterminded by Chen Zhi, the chairman of Prince Group, who was extradited<\/a> to China in January 2026 and has been indicted by the U.S. for operating large-scale, forced-labor \u00abpig butchering\u00bb scam compounds in Southeast Asia. In May 2025, the U.S. Treasury\u2019s Financial Crimes Enforcement Network labeled Huione Group \u00aba financial institution of primary money laundering concern.\u00bb\n <\/p>\n<\/div>\n<\/li>\n

  6. \n <\/p>\n
    \n Gmail username change arrives<\/span><\/p>\n

    \n Google said<\/a> it\u2019s rolling out the ability to change a username to Google Account users in the U.S. \u00abYour previous Google Account email ending in gmail.com will become an alternate email address,\u00bb Google said<\/a> in a support document. \u00abYou\u2019ll receive emails to both your old and new addresses. The data saved in your account won\u2019t be affected. This includes things like photos, messages, and emails sent to your previous email address.\u00bb While users can change back to their previous email address at any time, it\u2019s not possible to create a new Google Account email ending in gmail.com for the next 12 months. The new email address cannot be deleted either.\n <\/p>\n<\/div>\n<\/li>\n

  7. \n <\/p>\n
    \n Court halts AI risk label<\/span><\/p>\n

    \n A U.S. federal judge has temporarily blocked<\/a> the Trump administration\u2019s designation of Anthropic as a supply chain risk. The AI company had argued that the designation was causing immediate and irreparable harm. \u00abNothing in the governing statute supports the Orwellian notion that an American company may be branded a potential adversary and saboteur of the U.S. for expressing disagreement with the government,\u00bb District Judge Rita Lin wrote in the ruling.\n <\/p>\n<\/div>\n<\/li>\n

  8. \n <\/p>\n
    \n Phishing apps target mobile users<\/span><\/p>\n

    \n Cybercriminals have set their sights on Android users through a new phishing scheme that disguises malicious applications as beta-testing opportunities for ChatGPT and Meta advertising tools. In these attacks, what appears to be an invitation to advertising apps turns out to be a carefully planned attempt to steal Facebook credentials and hijack control of user accounts. \u00abThese messages push malicious apps delivered through \u2018firebase-noreply@google.com\u2019 via Firebase App Distribution, a legitimate Google service for distributing pre-release apps to testers,\u00bb LevelBlue said<\/a>. \u00abOnce installed, these apps request Facebook credentials, leading to phishing and account takeover.\u00bb A similar campaign has leveraged phishing emails impersonating ChatGPT and Gemini to push users into downloading malicious iOS apps from the Apple App Store. \u00abDisguised as business or ad management tools, these apps prompt for Facebook credentials, leading to credential harvesting,\u00bb the company added<\/a>.\n <\/p>\n<\/div>\n<\/li>\n

  9. \n <\/p>\n
    \n Drive adds ransomware defense<\/span><\/p>\n

    \n Google has made ransomware detection and file restoration in Drive generally available after launching the feature in beta in September 2025 to help organizations minimize the impact of malware attacks on personal computers. Ransomware detection pauses file syncing, and file restoration allows users to bulk restore their files to a previous version in Drive. \u00abCompared to when the feature was in beta, we are now able to detect even more types of ransomware encryption and are able to do it faster,\u00bb Google said<\/a>. \u00abOur latest AI model is detecting 14x more infections, leading to even more comprehensive protection.\u00bb\n <\/p>\n<\/div>\n<\/li>\n

  10. \n <\/p>\n
    \n GhostSocks activity intensifies<\/span><\/p>\n

    \n Cybersecurity company Darktrace said<\/a> it has observed a steady increase in GhostSocks activity across its customer base since late 2025. \u00abIn one notable case from December 2025, Darktrace detected GhostSocks operating alongside Lumma Stealer, reinforcing that the partnership between Lumma and GhostSocks remains active despite recent attempts to disrupt Lumma\u2019s infrastructure,\u00bb it said. Originally marketed on the Russian underground forum xss[.]is as a malware-as-a-service (MaaS), GhostSocks enables threat actors to turn compromised devices into residential proxies, leveraging the victim\u2019s internet bandwidth to route malicious traffic through it. It utilizes the SOCKS5 proxy protocol, creating a SOCKS5 connection on infected devices. It began to be widely adopted following its partnership with Lumma Stealer in 2024.\n <\/p>\n<\/div>\n<\/li>\n

  11. \n <\/p>\n
    \n Open-source malware spikes 14x<\/span><\/p>\n

    \n The number of malware advisories across open-source ecosystems has increased 13.6x since January 2024, as threat actors take control of trusted packages to poison the software supply chain. \u00abOf the 1,011 npm ATO [Account takeover] advisories recorded in the OSV database over all time, 930 were filed in 2025, a roughly 12x year-over-year increase representing 92% of all ATOs reported on npm,\u00bb Endor Labs said<\/a>. Among the 2025 npm ATO cases, 38.4% of affected packages had more than 1,000 monthly downloads, 18.5% exceeded 10,000, and 11.1% had more than 100,000. Attackers are deliberately targeting packages that are deeply embedded in production systems and automated CI\/CD pipelines, maximizing the blast radius of each compromise.\u00bb\n <\/p>\n<\/div>\n<\/li>\n

  12. \n <\/p>\n
    \n XLoader boosts stealth tactics<\/span><\/p>\n

    \n An updated version of the XLoader information-stealing malware (version 8.7) has been found to incorporate several changes to the code obfuscation to make automation and analysis more difficult. These include the use of encrypted strings that are decrypted at runtime, encrypted code blocks consisting of functions that are decrypted at runtime, and improved methods to conceal hard-coded values and specific functions, per Zscaler. XLoader also uses a combination of multiple encryption layers with different keys for encrypting network traffic. \u00abXLoader continues to be a highly active information stealer that constantly receives updates,\u00bb the company said<\/a>. \u00abAs a result of the malware\u2019s multiple encryption layers, decoy C2 servers, and robust code obfuscation, XLoader has been able to remain largely under the radar.\u00bb\n <\/p>\n<\/div>\n<\/li>\n

  13. \n <\/p>\n
    \n ImageMagick zero-days enable RCE<\/span><\/p>\n

    \n Cybersecurity researchers have found multiple zero-day vulnerabilities in ImageMagick that could be chained to achieve remote code execution through a single image or PDF upload. According to Pwn.ai<\/a>, the attack works on the default configuration and the most restrictive \u00absecure\u00bb configuration. The issue affects every major Linux distribution, as well as WordPress installations that process image uploads. It remains unpatched as of writing. In the interim, it\u2019s advised to process PDFs in an isolated sandbox with no network access, disable XML-RPC in WordPress, and block GhostScript.\n <\/p>\n<\/div>\n<\/li>\n

  14. \n <\/p>\n
    \n Attackers evade CloudTrail logging<\/span><\/p>\n

    \n Adversaries are bypassing<\/a> traditional CloudTrail detections, like StopLogging or DeleteTrail, and instead using lesser-known AWS APIs to blind logging systems. This includes creating \u00abinvisible activity zones\u201d using PutEventSelectors, using StopEventDataStoreIngestion and DeleteEventDataStore to halt or destroy long-term forensic visibility, disabling anomaly detection via PutInsightSelectors, neutralizing cross-account protections through DeleteResourcePolicy and DeregisterOrganizationDelegatedAdmin. \u00abThe real risk is in the sequence: individually, these API calls look like routine maintenance\u2014but chained together, they allow attackers to erase evidence and evade detection entirely,\u00bb Abstract Security said.\n <\/p>\n<\/div>\n<\/li>\n

  15. \n <\/p>\n
    \n LofyGang deploys dual-payload RAT<\/span><\/p>\n

    \n The threat actor known as LofyGang resurfaced with a fake npm package (\u00abundicy-http\u00bb) that delivers a dual-payload attack: a Node.js-based Remote Access Trojan (RAT) with live screen streaming, and a native Windows PE binary that uses direct syscalls to inject into browser processes and steal credentials, cookies, credit cards, IBANs, and session tokens from more than 50 web browsers and 90 cryptocurrency wallet extensions. The session hijacking module targets Roblox, Instagram, Spotify, TikTok, Steam, Telegram, and Discord. \u00abThe Node.js layer independently operates as a full RAT with remote shell, screen capture, webcam\/microphone streaming, file upload, and persistence capabilities, all controlled through a WebSocket C2 panel,\u00bb JFrog said<\/a>. The Node.js layer also downloads a native PE binary to facilitate data exfiltration via a Discord webhook and a Telegram bot.\n <\/p>\n<\/div>\n<\/li>\n<\/ol>\n<\/section>\n<\/div>\n

    Nothing here looks huge on its own. That\u2019s the point. Small\u00a0changes, repeated enough times, start to matter. Things\u00a0that used to be hard are getting easier. Things\u00a0that were noisy are getting quiet. You\u00a0stop seeing the obvious signs and start missing the subtle\u00a0ones.<\/p>\n

    Read it like a pattern, not a list. Same\u00a0ideas showing up in slightly different forms. Systems doing what they\u2019re designed to do\u2014just used differently. That\u00a0gap is where most problems live now. That\u2019s the\u00a0recap.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

    The\u00a0latest ThreatsDay Bulletin is basically a cheat sheet for everything breaking on the internet right now. No\u00a0corporate fluff or boring lectures here, just a quick and honest look at the messy reality of keeping systems safe this\u00a0week. Things\u00a0are moving fast. The\u00a0list includes researchers chaining small bugs together to create massive backdoors, old software flaws coming […]<\/p>\n","protected":false},"author":1,"featured_media":438,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,5],"tags":[75,634,1504,24,1350,1502,1503,23],"class_list":["post-437","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-noticias","category-trending","tag-android","tag-chains","tag-cloudtrail","tag-cyberdefensa-mx","tag-evasion","tag-preauth","tag-rootkits","tag-stories"],"_links":{"self":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/437","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/comments?post=437"}],"version-history":[{"count":0,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/437\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/media\/438"}],"wp:attachment":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/media?parent=437"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/categories?post=437"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/tags?post=437"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}