SparkCat Malware Uses OCR to Extract Crypto Wallet Recovery Phrases from Images - Related to wallet, flag, images, ocr, extract

A Tumultuous Week for Federal Cybersecurity Efforts

President Trump last week issued a flurry of executive orders that upended a number of government initiatives focused on improving the nation’s cybersecurity posture. The president fired all advisors from the Department of Homeland Security’s Cyber Safety Review Board, called for the creation of a strategic cryptocurrency reserve, and voided a Biden administration action that sought to reduce the risks that artificial intelligence poses to consumers, workers and national security.

On his first full day back in the White House, Trump dismissed all 15 advisory committee members of the Cyber Safety Review Board (CSRB), a nonpartisan government entity established in February 2022 with a mandate to investigate the causes of major cybersecurity events. The CSRB has so far produced three detailed reports, including an analysis of the Log4Shell vulnerability crisis, attacks from the cybercrime group LAPSUS$, and the 2023 Microsoft Exchange Online breach.

The CSRB was in the midst of an inquiry into cyber intrusions uncovered in recent times across a broad spectrum of [website] telecommunications providers at the hands of Chinese state-sponsored hackers. One of the CSRB’s most recognizable names is Chris Krebs (no relation), the former director of the Cybersecurity and Infrastructure Security Agency (CISA). Krebs was fired by President Trump in November 2020 for declaring the presidential contest was the most secure in American history, and for refuting Trump’s false hints at of election fraud.

South Dakota Governor Kristi Noem, confirmed by the [website] Senate last week as the new director of the DHS, criticized CISA at her confirmation hearing, TheRecord reports.

Noem told lawmakers CISA needs to be “much more effective, smaller, more nimble, to really fulfill their mission,” which she expressed should be focused on hardening federal IT systems and hunting for digital intruders. Noem expressed the agency’s work on fighting misinformation reveals it has “gotten far off mission” and involved “using their resources in ways that was never intended.”.

“The misinformation and disinformation that they have stuck their toe into and meddled with, should be refocused back onto what their job is,” she expressed.

Moses Frost, a cybersecurity instructor with the SANS Institute, compared the sacking of the CSRB members to firing all of the experts at the National Transportation Safety Board (NTSB) while they’re in the middle of an investigation into a string of airline disasters.

Speaking of transportation, The Record notes that Transportation Security Administration chief David Pekoske was fired despite overseeing critical cybersecurity improvements across pipeline, rail and aviation sectors. Pekoske was appointed by Trump in 2017 and had his 5-year tenure renewed in 2022 by former President Joe Biden.

Shortly after being sworn in for a second time, Trump voided a Biden executive order that focused on supporting research and development in artificial intelligence. The previous administration’s order on AI was crafted with an eye toward managing the safety and security risks introduced by the technology. But a statement released by the White House mentioned Biden’s approach to AI had hindered development, and that the United States would support AI systems that are “free from ideological bias or engineered social agendas,” to maintain leadership.

The Trump administration issued its own executive order on AI, which calls for an “AI Action Plan” to be led by the assistant to the president for science and technology, the White House “AI & crypto czar,” and the national security advisor. It also directs the White House to revise and reissue policies to federal agencies on the government’s acquisition and governance of AI “to ensure that harmful barriers to America’s AI leadership are eliminated.”.

Trump’s AI & crypto czar is David Sacks, an entrepreneur and Silicon Valley venture capitalist who argues that the Biden administration’s approach to AI and cryptocurrency has driven innovation overseas. Sacks recently asserted that non-fungible cryptocurrency tokens and memecoins are neither securities nor commodities, but rather should be treated as “collectibles” like baseball cards and stamps.

There is already a legal definition of collectibles under the [website] tax code that applies to things like art or antiques, which can be subject to high capital gains taxes. But Joe Hall, a capital markets attorney and partner at Davis Polk, told Fortune there are no market regulations that apply to collectibles under [website] securities law. Hall presented Sacks’ comments “suggest a viewpoint that it would not be appropriate to regulate these things the way we regulate securities.”.

The new administration’s position makes sense considering that the Trump family is deeply and personally invested in a number of recent memecoin ventures that have attracted billions from investors. President Trump and First Lady Melania Trump each launched their own vanity memecoins this month, dubbed $TRUMP and $MELANIA.

The Wall Street Journal reported Thursday the market capitalization of $TRUMP stood at about $7 billion, down from a peak of near $15 billion, while $MELANIA is hovering somewhere in the $460 million mark. Just two months before the 2024 election, Trump’s three sons debuted a cryptocurrency token called World Liberty Financial.

Despite maintaining a considerable personal stake in how cryptocurrency is regulated, Trump issued an executive order on January 23 calling for a working group to be chaired by Sacks that would develop “a federal regulatory framework governing digital assets, including stablecoins,” and evaluate the creation of a “strategic national digital assets stockpile.”.

Translation: Using taxpayer dollars to prop up the speculative, volatile, and highly risky cryptocurrency industry, which has been marked by endless scams, rug-pulls, 8-figure cyber heists, rampant fraud, and unrestrained innovations in money laundering.

Prior to the election, President Trump frequently vowed to use a second term to exact retribution against his perceived enemies. Part of that promise materialized in an executive order Trump issued last week titled “Ending the Weaponization of the Federal Government,” which decried “an unprecedented, third-world weaponization of prosecutorial power to upend the democratic process,” in the prosecution of more than 1,500 people who invaded the [website] Capitol on Jan. 6, 2021.

On Jan. 21, Trump commuted the sentences of several leaders of the Proud Boys and Oath Keepers who were convicted of seditious conspiracy. He also issued “a full, complete and unconditional pardon to all other individuals convicted of offenses related to events that occurred at or near the United States Capitol on January 6, 2021,” which include those who assaulted law enforcement officers.

The New York Times reports “the language of the document points to — but does not explicitly state — that the Trump administration review will examine the actions of local district attorneys or state officials, such as the district attorneys in Manhattan or Fulton County, Ga., or the New York attorney general, all of whom filed cases against President Trump.”.

Another Trump order called “Restoring Freedom of Speech and Ending Federal Censorship” asserts:

“Over the last 4 years, the previous administration trampled free speech rights by censoring Americans’ speech on online platforms, often by exerting substantial coercive pressure on third parties, such as social media companies, to moderate, deplatform, or otherwise suppress speech that the Federal Government did not approve,” the Trump administration alleged. “Under the guise of combatting ‘misinformation,’ ‘disinformation,’ and ‘malinformation,’ the Federal Government infringed on the constitutionally protected speech rights of American citizens across the United States in a manner that advanced the Government’s preferred narrative about significant matters of public debate.”.

Both of these executive orders have potential implications for security, privacy and civil liberties activists who have sought to track conspiracy theories and raise awareness about disinformation efforts on social media coming from [website] adversaries.

In the wake of the 2020 election, Republicans created the House Judiciary Committee’s Select Subcommittee on the Weaponization of the Federal Government. Led by GOP Rep. Jim Jordan of Ohio, the committee’s stated purpose was to investigate alleged collusion between the Biden administration and tech companies to unconstitutionally shut down political speech.

The GOP committee focused much of its ire at members of the short-lived Disinformation Governance Board, an advisory board to DHS created in 2022 (the “combating misinformation, disinformation, and malinformation” quote from Trump’s executive order is a reference to the board’s stated mission). Conservative groups seized on social media posts made by the director of the board, who resigned after facing death threats. The board was dissolved by DHS soon after.

In his first administration, President Trump created a special prosecutor to probe the origins of the FBI’s investigation into possible collusion between the Trump campaign and Russian operatives seeking to influence the 2016 election. Part of that inquiry examined evidence gathered by some of the world’s most renowned cybersecurity experts who identified frequent and unexplained communications between an email server used by the Trump Organization and Alfa Bank, one of Russia’s largest financial institutions.

Trump’s Special Prosecutor John Durham later subpoenaed and/or deposed dozens of security experts who’d collected, viewed or merely commented on the data. Similar harassment and deposition demands would come from lawyers for Alfa Bank. Durham ultimately indicted Michael Sussman, the former federal cybercrime prosecutor who reported the oddity to the FBI. Sussman was acquitted in May 2022. Last week, Trump appointed Durham to lead the [website] attorney’s office in Brooklyn, NY.

Quinta Jurecic at Lawfare notes that while the executive actions are ominous, they are also vague, and could conceivably generate either a campaign of retaliation, or nothing at all.

“The two orders establish that there will be investigations but leave open the questions of what kind of investigations, what will be investigated, how long this will take, and what the consequences might be,” Jurecic wrote. “It is difficult to draw firm conclusions as to what to expect. Whether this ambiguity is intentional or the result of sloppiness or disagreement within Trump’s team, it has at least one immediate advantage as far as the president is concerned: generating fear among the broad universe of potential subjects of those investigations.”.

On Friday, Trump moved to fire at least 17 inspectors general, the government watchdogs who conduct audits and investigations of executive branch actions, and who often uncover instances of government waste, fraud and abuse. Lawfare’s Jack Goldsmith argues that the removals are probably legal even though Trump defied a 2022 law that required congressional notice of the terminations, which Trump did not give.

“Trump probably acted lawfully, I think, because the notice requirement is probably unconstitutional,” Goldsmith wrote. “The real bite in the 2022 law, however, comes in the limitations it places on Trump’s power to replace the terminated IGs—limitations that I believe are constitutional. This aspect of the law will make it hard, but not impossible, for Trump to put loyalists atop the dozens of vacant IG offices around the executive branch. The ultimate fate of IG independence during Trump [website], however, depends less on legal protections than on whether Congress, which traditionally protects IGs, stands up for them now. Don’t hold your breath.”.

Among the many Biden administration executive orders revoked by President Trump last week was an action from December 2021 establishing the United States Council on Transnational Organized Crime, which is charged with advising the White House on a range of criminal activities, including drug and weapons trafficking, migrant smuggling, human trafficking, cybercrime, intellectual property theft, money laundering, wildlife and timber trafficking, illegal fishing, and illegal mining.

So far, the White House doesn’t appear to have revoked an executive order that former President Biden issued less than a week before President Trump took office. On Jan. 16, 2025, Biden released a directive that focused on improving the security of federal agencies and contractors, and giving the government more power to sanction the hackers who target critical infrastructure.

The North Korea-linked Lazarus Group has been linked to an active campaign that leverages fake LinkedIn job offers in the cryptocurrency and travel se......

Cybercriminals are increasingly leveraging legitimate HTTP client tools to facilitate account takeover (ATO) attacks on Microsoft 365 environments.

A team of security researchers from Georgia Institute of Technology and Ruhr University Bochum has demonstrated two new side-channel attacks targeting......

Experts Flag Security, Privacy Risks in DeepSeek AI App

New mobile apps from the Chinese artificial intelligence (AI) enterprise DeepSeek have remained among the top three “free” downloads for Apple and Google devices since their debut on Jan. 25, 2025. But experts caution that many of DeepSeek’s design choices — such as using hard-coded encryption keys, and sending unencrypted user and device data to Chinese companies — introduce a number of glaring security and privacy risks.

the upstart Chinese AI firm had managed to match the abilities of cutting-edge chatbots while using a fraction of the specialized computer chips that leading AI companies rely on. As of this writing, DeepSeek is the third most-downloaded “free” app on the Apple store, and #1 on Google Play.

DeepSeek’s rapid rise caught the attention of the mobile security firm NowSecure, a Chicago-based enterprise that helps clients screen mobile apps for security and privacy threats. In a teardown of the DeepSeek app , NowSecure urged organizations to remove the DeepSeek iOS mobile app from their environments, citing security concerns.

NowSecure founder Andrew Hoog presented they haven’t yet concluded an in-depth analysis of the DeepSeek app for Android devices, but that there is little reason to believe its basic design would be functionally much different.

Hoog told KrebsOnSecurity there were a number of qualities about the DeepSeek iOS app that suggest the presence of deep-seated security and privacy risks. For starters, he expressed, the app collects an awful lot of data about the user’s device.

“They are doing some very interesting things that are on the edge of advanced device fingerprinting,” Hoog mentioned, noting that one property of the app tracks the device’s name — which for many iOS devices defaults to the customer’s name followed by the type of iOS device.

The device information shared, combined with the user’s Internet address and data gathered from mobile advertising companies, could be used to deanonymize clients of the DeepSeek iOS app, NowSecure warned. The findings notes that DeepSeek communicates with Volcengine, a cloud platform developed by ByteDance (the makers of TikTok), although NowSecure stated it wasn’t clear if the data is just leveraging ByteDance’s digital transformation cloud service or if the declared information share extends further between the two companies.

Perhaps more concerning, NowSecure presented the iOS app transmits device information “in the clear,” without any encryption to encapsulate the data. This means the data being handled by the app could be intercepted, read, and even modified by anyone who has access to any of the networks that carry the app’s traffic.

“The DeepSeek iOS app globally disables App Transport Security (ATS) which is an iOS platform level protection that prevents sensitive data from being sent over unencrypted channels,” the findings observed. “Since this protection is disabled, the app can (and does) send unencrypted data over the internet.”.

Hoog mentioned the app does selectively encrypt portions of the responses coming from DeepSeek servers. But they also found it uses an insecure and now deprecated encryption algorithm called 3DES (aka Triple DES), and that the developers had hard-coded the encryption key. That means the cryptographic key needed to decipher those data fields can be extracted from the app itself.

There were other, less alarming security and privacy issues highlighted in the investigation, but Hoog introduced he’s confident there are additional, unseen security concerns lurking within the app’s code.

“When we see people exhibit really simplistic coding errors, as you dig deeper there are usually a lot more issues,” Hoog expressed. “There is virtually no priority around security or privacy. Whether cultural, or mandated by China, or a witting choice, taken together they point to significant lapse in security and privacy controls, and that puts companies at risk.”.

Apparently, plenty of others share this view. Axios reported on January 30 that [website] congressional offices are being warned not to use the app.

“[T]hreat actors are already exploiting DeepSeek to deliver malicious software and infect devices,” read the notice from the chief administrative officer for the House of Representatives. “To mitigate these risks, the House has taken security measures to restrict DeepSeek’s functionality on all House-issued devices.”.

Italy and Taiwan have already moved to ban DeepSeek over security concerns. Bloomberg writes that The Pentagon has blocked access to DeepSeek. CNBC says NASA also banned employees from using the service, as did the [website] Navy.

Beyond security concerns tied to the DeepSeek iOS app, there are indications the Chinese AI firm may be playing fast and loose with the data that it collects from and about people. On January 29, researchers at Wiz showcased they discovered a publicly accessible database linked to DeepSeek that exposed “a significant volume of chat history, backend data and sensitive information, including log streams, API secrets, and operational details.”.

“More critically, the exposure allowed for full database control and potential privilege escalation within the DeepSeek environment, without any authentication or defense mechanism to the outside world,” Wiz wrote. [Full disclosure: Wiz is currently an advertiser on this website.].

KrebsOnSecurity sought comment on the investigation from DeepSeek and from Apple. This story will be updated with any substantive replies.

The foundations for social engineering attacks – manipulating humans – might not have changed much over the years. It's the vectors – how these techni......

Windows 11's January 28 optional revision has fixed a long-standing issue in Windows 11 24H2 that prevents non-admin individuals from changing their time zone......

The [website] Cybersecurity and Infrastructure Security Agency (CISA) has warned that a security flaw impacting Trimble Cityworks GIS-centric asset managem......

SparkCat Malware Uses OCR to Extract Crypto Wallet Recovery Phrases from Images

A new malware campaign dubbed SparkCat has leveraged a suit of bogus apps on both Apple's and Google's respective app stores to steal victims' mnemonic phrases associated with cryptocurrency wallets.

The attacks leverage an optical character recognition (OCR) model to exfiltrate select images containing wallet recovery phrases from photo libraries to a command-and-control (C2) server, Kaspersky researchers Dmitry Kalinin and Sergey Puzan introduced in a technical findings.

The moniker is a reference to an embedded software development kit (SDK) that employs a Java component called Spark that masquerades as an analytics module. It's currently not known whether the infection was a result of a supply chain attack or if it was intentionally introduced by the developers.

While this is not the first time Android malware with OCR capabilities has been detected in the wild, it's one of the first instances where such a stealer has been found in Apple's App Store. The infected apps in Google Play are expressed to have been downloaded over 242,000 times.

The campaign is assessed to have been active since March 2024, with the apps distributed via both official and unofficial app stores. The applications masquerade as artificial intelligence (AI), food delivery, and Web3 apps, although some of them appear to offer legitimate functionality.

"The Android malware module would decrypt and launch an OCR plug-in built with Google's ML Kit library, and use that to recognize text it found in images inside the gallery," Kaspersky expressed. "Images that matched keywords received from the C2 were sent to the server."

In a similar vein, the iOS version of SparkCat relies on Google's ML Kit library for OCR to steal images containing mnemonic phrases. A notable aspect of the malware is its use of a Rust-based communication mechanism for C2, something rarely observed in mobile apps.

Further analysis of keywords used and the regions where these apps were made available indicate that the campaign is primarily targeting customers in Europe and Asia. It's assessed that the malicious activity is the work of a threat actor who is fluent in Chinese.

"What makes this Trojan particularly dangerous is that there's no indication of a malicious implant hidden within the app," the researchers stated. "The permissions that it requests may look like they are needed for its core functionality or appear harmless at first glance."

The disclosure comes as Zimperium zLabs detailed another mobile malware campaign targeting Indian Android device owners by distributing malicious APK files via WhatsApp under the guise of banking and government applications, allowing the apps to harvest sensitive perusal and financial information.

The cybersecurity corporation stated it has identified over 1,000 phony apps linked to the campaign, with the attackers leveraging roughly 1,000 hard-coded phone numbers as exfiltration points for SMS messages and one-time passwords (OTPs).

"Unlike conventional banking Trojans that rely solely on command-and-control (C&C) servers for one-time password (OTP) theft, this malware campaign leverages live phone numbers to redirect SMS messages, leaving a traceable digital trail for law enforcement agencies to track the threat actors behind this campaign," security researcher Aazim Yaswant said.

The attack campaign, named FatBoyPanel, is showcased to have amassed [website] GB of sensitive data to date, all of which is hosted on Firebase endpoints that are accessible to anyone sans authentication.

This includes SMS messages from Indian banks, bank details, credit and debit card information, and government-issued identification details belonging to about 50,000 individuals, a majority of whom are located in the Indian states of West Bengal, Bihar, Jharkhand, Karnataka, and Madhya Pradesh.

These incidents tell a cautionary tale of the importance of properly vetting code apps, including scrutinizing reviews and checking the authenticity of the developers, before downloading them, even if they are uploaded to official app storefronts.

The development also follows the emergence of 24 new malware families targeting Apple macOS systems in 2024, up from 21 in 2023, .

This coincides with a surge in information stealer attacks, such as those involving Poseidon, Atomic, and Cthulhu, that are specifically aimed at the individuals of the desktop operating system.

"Infostealers leveraging macOS often exploit the native AppleScript framework," Palo Alto Networks Unit 42 researchers Tom Fakterman, Chen Erlich, and Tom Sharon noted in a research .

"This framework provides extensive OS access, and it also simplifies execution with its natural language syntax. Since these prompts can look like legitimate system prompts, threat actors use this framework to trick victims via social engineering."

A malware campaign has been observed delivering a remote access trojan (RAT) named AsyncRAT by making use of Python payloads and TryCloudflare tunnels......

​AMD has released mitigation and firmware updates to address a high-severity vulnerability that can be exploited to load malicious CPU microcode on un......

Microsoft has released a PowerShell script to help Windows people and admins enhancement bootable media so it utilizes the new.