LightSpy Expands to 100+ Commands, Increasing Control Over Windows, macOS, Linux, and Mobile - Related to exploited, update, linux,, 2025, new

Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities

Google has released its monthly Android Security Bulletin for March 2025 to address a total of 44 vulnerabilities, including two that it expressed have come under active exploitation in the wild.

The two high-severity vulnerabilities are listed below -.

CVE-2024-43093 - A privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories, and their respective sub-directories.

- A privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb," and. "Android/sandbox" directories, and their respective sub-directories. CVE-2024-50302 - A privilege escalation flaw in the HID USB component of the Linux kernel that could lead to a leak of uninitialized kernel memory to a local attacker through specially crafted HID reports.

It's worth noting that CVE-2024-43093 was previously flagged by Google in its security advisory for November 2024 as actively exploited in the wild. It's not clear what prompted the tech giant to issue the alert a second time.

The Hacker News has reached out to Google for further comment, and we will upgrade the story if we hear back.

CVE-2024-50302, on the other hand, is one of the three vulnerabilities that were chained into a zero-day exploit devised by Cellebrite to break into a Serbian youth activist's Android phone in December 2024.

The exploit involved the use of CVE-2024-53104, CVE-2024-53197. And CVE-2024-50302 to gain elevated privileges and likely deploy an Android spyware dubbed NoviSpy.

All three vulnerabilities reside in the Linux kernel and were patched late last year. CVE-2024-53104 was addressed by Google in Android last month.

In its advisory, Google acknowledged that both CVE-2024-43093 and CVE-2024-50302 have come under "limited, targeted exploitation."

Additionally, the Mountain View-based enterprise has released two security patch levels, 2025-03-01 and 2025-03-05, so as to give flexibility to Android partners to address a portion of vulnerabilities that are similar across all Android devices more quickly.

The US Cybersecurity and Infrastructure Security Agency says that media reports about it being directed to no longer follow or research on Russian cyber...

Close to 12,000 valid secrets that include API keys and. Passwords have been found in the Common Crawl dataset used for training multiple artificial in...

This week, a 23-year-old Serbian activist found themselves at the crossroads of digital danger when a sneaky zero-day exploit turned their Android dev...

The New Ransomware Groups Shaking Up 2025

In 2024, global ransomware attacks hit 5,414, an 11% increase from 2023.

After a slow start, attacks spiked in "Q2 and. Surged in Q4, with 1,827 incidents (33% of the year's total). Law enforcement actions against major groups like LockBit caused fragmentation, leading to more competition and a rise in smaller gangs. The number of active ransomware groups jumped 40%, from 68 in 2023 to 95 in 2024.

In 2023 there were just 27 new groups. 2024 saw a dramatic rise with 46 new groups detected. As the year went on the number of groups accelerated with Q4 2024 having 48 groups active.

Of the 46 new ransomware groups in 2024, RansomHub became dominant. Exceeding LockBit's activity. At Cyberint, now a Check Point enterprise, the research team is constantly researching the latest ransomware groups and analyzing them for potential impact. This blog will look at 3 new players, the aforementioned RansomHub, Fog and Lynx and examine their impact in 2024 and delve into their origins and. TTPs.

RansomHub has emerged as the leading ransomware group in 2024, claiming 531 attacks on its Data Leak Site since commencing operations in Feb 2024. Following the FBI's disruption of ALPHV, RansomHub is perceived as its 'spiritual successor,' potentially involving former affiliates.

Operating as a Ransomware-as-a-Service (RaaS), RansomHub enforces strict affiliate agreements, and. RansomHub enforces strict adherence to affiliate agreements, with non-compliance resulting in bans and termination of partnerships. It offers a 90/10 ransom split, Affiliates/Core Group.

While claiming a global hacker community, RansomHub avoids targeting CIS nations, Cuba, North Korea. China, and non-profits, exhibiting characteristics of a traditional Russian ransomware setup. Their avoidance of Russian-affiliated nations and overlap with other Russian ransomware groups in targeted companies further highlight their likely connections to Russia's cybercrime ecosystem.

Cyberint's August 2024 findings indicate a low payment rate: only of victims paid (20 of 190). With negotiations often reducing demands. RansomHub prioritizes attack volume over payment rates, leveraging affiliate expansion to ensure profitability, with the goal of generating substantial revenue over time despite low individual payment success.

RansomHub's ransomware, developed in Golang and C++, targets Windows. Linux, and ESXi, distinguished by its fast encryption. Similarities to GhostSec's ransomware suggest a trend.

RansomHub guarantees free decryption if affiliates fail to provide it post-payment or target prohibited organizations. Their ransomware encrypts data before exfiltration. Potential ties to ALPHV are suggested by attack patterns, indicating similar tools and TTPs could be used.

Sophos research highlights parallels with Knight Ransomware, including Go-language payloads obfuscated with GoObfuscate and. Identical command-line menus.

Fog ransomware appeared in early April 2024, targeting educational networks by exploiting stolen VPN credentials. They use a double-extortion strategy, publishing data on a TOR-based leak site if victims don't pay.

In 2024, they attacked 87 organizations globally. An Arctic Wolf study from November 2024 showed Fog initiated at least 30 intrusions, all via compromised SonicWall VPN accounts. Notably, 75% of these intrusions were linked to Akira, with the rest attributed to Fog, suggesting shared infrastructure and collaboration.

Fog primarily targets education, business services, travel, and manufacturing. With a focus on the Interestingly, Fog is one of the few ransomware groups that prioritize the education sector as their primary target.

Fog ransomware has demonstrated alarming speed, with the shortest observed time from initial access to encryption being just two hours. Its attacks follow a typical ransomware kill chain, encompassing network enumeration, lateral movement, encryption, and data exfiltration. Versions of the ransomware exist for both Windows and Linux platforms.

Type Value Last Observation Date IPv4-Addr Nov 28, 2024 SHA-1 507b26054319ff31f275ba44ddc9d2b5037bd295 Nov 28, 2024 SHA-1 e1fb7d15408988df39a80b8939972f7843f0e785 Nov 28, 2024 SHA-1 83f00af43df650fda2c5b4a04a7b31790a8ad4cf Nov 28, 2024 SHA-1 44a76b9546427627a8d88a650c1bed3f1cc0278c Nov 28, 2024 SHA-1 eeafa71946e81d8fe5ebf6be53e83a84dcca50ba Nov 28, 2024 SHA-1 763499b37aacd317e7d2f512872f9ed719aacae1 Nov 28, 2024 SHA-1 3477a173e2c1005a81d042802ab0f22cc12a4d55 Feb 02. 2025 SHA-1 90be89524b72f330e49017a11e7b8a257f975e9a Nov 28, 2024 Domain-Name Nov 28, 2024 SHA-256 e67260804526323484f564eebeb6c99ed021b960b899ff788aed85bb7a9d75c3 Aug 20, 2024.

Lynx is a double-extortion ransomware group that has been very active lately, displaying many victimized companies on their website. They state that they avoid targeting government organizations, hospitals, non-profit groups, and other essential social sectors.

Once they gain access to a system. Lynx encrypts files, appending the ."LYNX" extension. They then place a ransom note named "" in multiple directories. In 2024 alone, Lynx claimed more than 70 victims, demonstrating their continued activity and significant presence in the ransomware landscape.

Type Value Last Observation Date MD5 e488d51793fec752a64b0834defb9d1d Sep 08, 2024 Domain-Name Sep 08, 2024 Domain-Name Sep 08, 2024 Domain-Name Sep 08, 2024 IPv4-Addr Sep 08. 2024 IPv4-Addr Sep 08, 2024 MD5 7e851829ee37bc0cf65a268d1d1baa7a Feb 17, 2025.

Due to the crackdown on ransomware groups, the most new groups on record have appeared, seeking to make a name for themselves. In 2025, Cyberint anticipates several of these newer groups to enhance their capabilities and emerge as dominant players, not just RansomHub.

Read Cyberint, now a Check Point organization's 2024 Ransomware investigation for the top targeted industries and countries, a breakdown of the top 3 ransomware groups, ransomware families worth noting, newcomers to the industry, arrests and news. And 2025 forecasts.

Threat actors are targeting Amazon Web Services (AWS) environments to push out phishing campaigns to unsuspecting targets, ...

​Microsoft says a coding issue is behind a now-resolved Microsoft 365 outage over the weekend that affected Outlook and Exchange Online authentication...

Cybersecurity researchers have flagged an updated version of the LightSpy implant that comes equipped with an expanded set of data collection attributes...

LightSpy Expands to 100+ Commands, Increasing Control Over Windows, macOS, Linux, and Mobile

Cybersecurity researchers have flagged an updated version of the LightSpy implant that comes equipped with an expanded set of data collection elements to extract information from social media platforms like Facebook and Instagram.

LightSpy is the name given to a modular spyware that's capable of infecting both Windows and. Apple systems with an aim to harvest data. It was first documented in 2020, targeting consumers in Hong Kong.

Building on these developments, this includes Wi-Fi network information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages, and data from various apps like Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp.

Late last year, ThreatFabric detailed an updated version of the malware that incorporates destructive capabilities to prevent the compromised device from booting up, alongside expanding the number of supported plugins from 12 to 28.

Previous findings have also uncovered potential overlaps between LightSpy and an Android malware named DragonEgg, highlighting the cross-platform nature of the threat.

's latest analysis of the malicious command-and-control (C2) infrastructure associated with the spyware has uncovered support for over 100 commands spanning Android, iOS, Windows, macOS, routers. And Linux.

"The new command list shifts focus from direct data collection to broader operational control, including transmission management ('传输控制') and plugin version tracking ('上传插件版本详细信息')," the corporation expressed.

"These additions suggest a more flexible and adaptable framework, allowing LightSpy operators to manage deployments more efficiently across multiple platforms."

Notable among the new commands is the ability to target Facebook and Instagram application database files for data extraction from Android devices. But in an interesting twist, the threat actors have removed iOS plugins associated with destructive actions on the victim host.

Also discovered are 15 Windows-specific plugins designed for system surveillance and data collection, with most of them geared towards keylogging. Audio recording, and USB interaction.

The threat intelligence firm expressed it also discovered an endpoint ("/phone/phoneinfo") in the admin panel that grants logged-in people the ability to remotely control the infected mobile devices. It's currently not known if these represent new developments or previously undocumented older versions.

"The shift from targeting messaging applications to Facebook and Instagram expands LightSpy's ability to collect private messages, contact lists, and account metadata from widely used social platforms," mentioned.

"Extracting these database files could provide attackers with stored conversations, user connections, and potentially session-related data, increasing surveillance capabilities and opportunities for further exploitation."

The disclosure comes as Cyfirma disclosed details of an Android malware dubbed SpyLend that masquerades as a financial app named Finance Simplified (APK name "") on the Google Play Store but engages in predatory lending, blackmail, and extortion aimed at Indian consumers.

"By leveraging location-based targeting, the app displays a list of unauthorized loan apps that operate entirely within WebView, allowing attackers to bypass Play Store scrutiny," the organization showcased.

"Once installed, these loan apps harvest sensitive user data. Enforce exploitative lending practices, and employ blackmail tactics to extort money."

Some of the advertised loan apps are KreditPro (formerly KreditApple), MoneyAPE, StashFur, Fairbalance, and PokketMe. individuals who install Finance Simplified from outside India are served a harmless WebView that lists various calculators for personal finance, accounting, and. Taxation, suggesting that the campaign is designed to specifically target Indian individuals.

The app is no longer available for download from the official Android app marketplace. , the application was -December 2024 and attracted over 100,000 installations.

"Initially presented as a harmless finance management application, it downloads a fraud loan app from an external download URL, which once installed, gains extensive permissions to access sensitive data, including files, contacts, call logs, SMS, clipboard content, and even the camera," Cyfirma pointed out.

Indian retail banking consumers have also become the target of another campaign that distributes a malware codenamed FinStealer that impersonates legitimate bank apps, but is engineered to collect login credentials and facilitate financial fraud by carrying out unauthorized transactions.

"Distributed via phishing links, and social engineering, these fake apps closely mimic legitimate bank apps, tricking people into revealing credentials. Financial data, and personal details," the enterprise stated.

"Using Telegram bots, the malware can receive instructions and send stolen data without raising suspicion, making it more difficult for security systems to detect and block the communication."

The first quarter of 2025 has been a battlefield in the world of cybersecurity. Cybercriminals continued launching aggressive new campaigns and refini...

CISA has warned US federal agencies to secure their systems against attacks exploiting vulnerabilities in Cisco and Windows systems.

Rubrik disclosed last month that one of its servers hosting log files was breached. Causing the organization to rotate potentially leaked authentication ke...