Cybercrime/malcode – Lifeboat News: The Blog

Nov 16
2025

Invasive Israeli-founded bloatware is harvesting data from Samsung users in WANA

IronSource Expands Samsung Partnership, Launching on Samsung Mobile Devices in MENA https://www.businesswire.com/news/home/20221103005106/en/iro…es-in-MENA

Across West Asia and North Africa (WANA), growing concerns about digital surveillance have placed Israeli cybersecurity firms and their software under intense scrutiny. Among the most alarming cases is AppCloud, a pre-installed application on Samsung’s A and M series smartphones.

The bloatware cannot be uninstalled easily because it runs on the device’s operating system. Uninstalling it requires root access (the highest level of control in a computer system) of the phone to remove the AppCloud package. Its privacy policy is nowhere to be found online and opting out is not always available.

But the real concern lies in who owns AppCloud. When investigating further, we discovered that AppCloud’s privacy policy can be traced back to the controversial Israeli-founded company ironSource (now owned by the American company Unity). ironSource is notorious for its questionable practices regarding user consent and data privacy.

Nov 15
2025

Ransomware’s Fragmentation Reaches a Breaking Point While LockBit Returns

Ransomware hit record highs in Q3 2025 with 85 active groups and LockBit 5.0’s return.

Nov 15
2025

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

North Korean hackers exploit JSON storage services to deploy malware in Contagious Interview attacks.

Nov 15
2025

Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets

Iran’s APT42 launches SpearSpecter campaign using TAMECAT malware, targeting defense and government officials.

Nov 15
2025

Google backpedals on new Android developer registration rules

Google is backpedaling on its decision to introduce new identity verification rules for all developers, stating that it will also introduce accounts for limited app distribution and will allow users to install apps from unverified devs.

As announced in August, Google was planning to introduce what it called “Developer Verification” starting in 2026 to block malware spreading via sideloaded apps sourced from outside the official Google Play app store.

The new rules require that all apps must originate from developers with verified identities to be installed on certified Android devices; otherwise, their installation will be blocked.

Nov 15
2025

Anthropic claims of Claude AI-automated cyberattacks met with doubt

Anthropic reports that a Chinese state-sponsored threat group, tracked as GTG-1002, carried out a cyber-espionage operation that was largely automated through the abuse of the company’s Claude Code AI model.

However, Anthropic’s claims immediately sparked widespread skepticism, with security researchers and AI practitioners calling the report “made up” or the company of overstating the incident.

“I agree with Jeremy Kirk’s assessment of the Anthropic’s GenAI report. It’s odd. Their prior one was, too,” cybersecurity expert Kevin Beaumont posted on Mastodon.

Nov 15
2025

Logitech confirms data breach after Clop extortion attack

Hardware accessory giant Logitech has confirmed it suffered a data breach in a cyberattack claimed by the Clop extortion gang, which conducted Oracle E-Business Suite data theft attacks in July.

Logitech International S.A. is a Swiss multinational electronics company that sells hardware and software solutions, including computer peripherals, gaming, video collaboration, music, and smart home products.

Today, Logitech filed a Form 8-K with the U.S. Securities and Exchange Commission, confirming that data was stolen in a breach.

Nov 14
2025

RCE flaw in ImunifyAV puts millions of Linux-hosted sites at risk

The ImunifyAV malware scanner for Linux servers, used by tens of millions of websites, is vulnerable to a remote code execution vulnerability that could be exploited to compromise the hosting environment.

The issue affects versions of the AI-bolit malware scanning component prior to 32.7.4.0. The component is present in the Imunify360 suite, the paid ImunifyAV+, and in ImunifyAV, the free version of the malware scanner.

According to security firm Patchstack, the vulnerability has been known since late October, when ImunifyAV’s vendor, CloudLinux, released fixes. Currently, the flaw has not been assigned an identifier.

Nov 14
2025

Kraken ransomware benchmarks systems for optimal encryption choice

The Kraken ransomware, which targets Windows, Linux/VMware ESXi systems, is testing machines to check how fast it can encrypt data without overloading them.

According to Cisco Talos researchers, Kraken’s feature is a rare capability that uses temporary files to choose between full and partial data encryption.

The Kraken ransomware emerged at the begining of the year as a continuation of the HelloKitty operation, and engages in big-game hunting attacks with data theft for double extortion.

Nov 14
2025

CISA warns of Akira ransomware Linux encryptor targeting Nutanix VMs

US government agencies are warning that the Akira ransomware operation has been spotted encrypting Nutanix AHV virtual machines in attacks.

An updated joint advisory from CISA, the FBI, the Department of Defense Cyber Crime Center (DC3), the Department of Health and Human Services (HHS), and several international partners alerts that Akira ransomware has expanded its encryption capabilities Nutanix AHV VM disk files.

The advisory includes new indicators of compromise and tactics observed through FBI investigations and third-party reporting as recent as November 2025.