- \n
- Hackers hid a stealer in a fake TradingView Premium.<\/li>\n
- Researchers uncovered a stealer that targets crypto users.<\/li>\n
- Extortionists threatened to feed artists\u2019 work to AI models.<\/li>\n
- A vulnerability was found in the control of Chinese robots.<\/li>\n<\/ul>\n<\/div>\n
Hackers hid a stealer in a fake TradingView Premium<\/h2>\n
Cybercriminals ran fake ads offering a free installation of TradingView Premium to deliver malware to victims\u2019 Android devices, Bitdefender researchers reported<\/a>.<\/p>\n
The Brokewell malware appeared in early 2024. It has a wide range of capabilities, including theft of confidential data, remote monitoring and control of an infected device.<\/p>\n
According to the researchers, the campaign targeted cryptocurrency users. It has been active since at least July 22, using about 75 ads localised for the Russian-speaking segment.<\/p>\n
![\"TradingView-Labubu\"](\"https:\/\/forklog.com\/wp-content\/uploads\/TradingView-Labubu.webp\")
An example of the attackers\u2019 ad. Source: Bitdefender.<\/figcaption><\/figure>\n When victims clicked the link, they were redirected to a site masquerading as the official TradingView page, which offered the malicious file tw-update.apk. After installation, the app requested Accessibility permissions. If granted, it opened a supposed system update window while the infostealer silently granted itself the required privileges.<\/p>\n
The attackers also tried to obtain the phone\u2019s lock-screen PIN by imitating an Android system prompt.<\/p>\n
![\"fake_tradingview_stealler\"](\"https:\/\/forklog.com\/wp-content\/uploads\/fake_tradingview_stealler.webp\")
A prompt to enter the phone\u2019s lock-screen PIN shown by the malware. Source: Bitdefender.<\/figcaption><\/figure>\n Experts noted the scheme targeted only mobile users: visitors from other devices saw harmless content.<\/p>\n
According to Bitdefender, the fake app is an \u201cextended version of the Brokewell malware\u201d and supports the following functions:<\/p>\n
- \n
- scans for BTC, ETH, USDT and IBAN bank details;<\/li>\n
- steals and exports Google Authenticator codes;<\/li>\n
- takes over accounts via fake login screens;<\/li>\n
- records the screen and keystrokes, steals cookies, activates the camera and microphone, and tracks geolocation;<\/li>\n
- intercepts SMS, including banking and 2FA codes, by replacing the default messaging app;<\/li>\n
- can receive remote commands via Tor or WebSockets to send SMS, place calls, delete software or even self-destruct.<\/li>\n<\/ul>\n
Researchers found a stealer dangerous to crypto users<\/h2>\n
Researchers at F6 reported<\/a> the Phantom Papa campaign discovered in June. Attackers sent emails in Russian and English with attachments containing the Phantom stealer.<\/p>\n
Malware based on the code of the CaaS<\/span><\/a> tool Stealerium enables operators to steal passwords, banking and cryptocurrency information, and the contents of browsers and messengers.<\/p>\n
The recipients of the stealer-laden emails were organisations from various sectors: retail, industry, construction and IT.<\/p>\n
The report notes the use of lurid subjects such as See My Nude Pictures and Videos. Classic phishing lures also appeared, for example \u201cAttached copy of payment No.06162025\u201d.<\/p>\n
![\"phantom_stealler\"](\"https:\/\/forklog.com\/wp-content\/uploads\/phantom_stealler.webp\")
A fragment of the attackers\u2019 phishing email offering to download an archive. Source: F6.<\/figcaption><\/figure>\n When recipients unpacked and launched files with .img and .iso extensions from RAR attachments, the malware infiltrated the device. On execution, Phantom collected detailed information about the hardware and system configuration, and stole cookies, passwords, payment-card data from the browser, images and documents. The stolen data was delivered via Telegram bots such as papaobilogs.<\/p>\n
Another risk for cryptocurrency holders is the Clipper module. In an infinite loop with a two-second interval, it read the clipboard. If the content changed, the malware wrote it to a file, then scanned the active window for terms linked to crypto services: \u201cbitcoin\u201d, \u201cmonero\u201d, \u201ccrypto\u201d, \u201ctrading\u201d, \u201cwallet\u201d, \u201ccoinbase\u201d.<\/p>\n
If such terms were found, it searched the clipboard for wallet addresses using popular address fragments and replaced any found with preset attacker addresses.<\/p>\n
Phantom also includes a PornDetector module. It can monitor user activity and, if it finds one of the strings \u201cporn\u201d, \u201csex\u201d or \u201chentai\u201d, take a screenshot. If the window remains active, the module then captures an image from the webcam.<\/p>\n
Extortionists threatened to feed art to AI models<\/h2>\n
On August 30, alleged LunaLock extortionists posted on the Artists&Clients service about a breach, 404 Media<\/a> reports.<\/p>\n
The attackers demanded $50,000 in bitcoin or Monero from the owners of the art marketplace. Otherwise, they promised to publish all the data and pass the artworks to AI companies to train LLM<\/span> models.<\/p>\n
A countdown timer on the site gave the owners a few days to raise the sum. At the time of writing, the site is offline.<\/p>\n
\n
\u201cThis is the first case I have seen of threat actors using the threat of training AI models as an element of their extortion tactics\u201d<\/em>, said Flare senior cyber threat analyst Tammy Harper in a comment to 404 Media.<\/p>\n<\/blockquote>\n
She added that such tactics may prove effective against artists given the sensitivity of the issue.<\/p>\n
A vulnerability found in the control of Chinese robots<\/h2>\n
On August 29, a cybersecurity specialist going by BobDaHacker disclosed issues<\/a> in the security of a leading global supplier of commercial robots. The vulnerability allowed machines to obey arbitrary commands.<\/p>\n
Pudu Robotics is a Chinese manufacturer of robots for a wide range of tasks in industry and public places.<\/p>\n
BobDaHacker found that administrative access to the robots\u2019 control software was left unlocked. According to him, an attacker needs only to obtain a valid authorisation token or create a test account intended for trials before purchase.<\/p>\n
After initial authentication, there were no additional security checks. An attacker could redirect food deliveries or disable an entire fleet of restaurant robots, allowing anyone to make serious changes\u2014for example, renaming robots to complicate recovery.<\/p>\n
Cloudflare withstands a record DDoS attack<\/h2>\n
Cloudflare blocked the largest recorded DDoS<\/span> attack, which peaked at 11.5 Tbps, the network services provider said on September 1.<\/p>\n
\n
Cloudflare’s defenses have been working overtime. Over the past few weeks, we’ve autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud.\u2026 pic.twitter.com\/3rOys7cfGS<\/a><\/p>\n
\u2014 Cloudflare (@Cloudflare) September 1, 2025<\/a><\/p><\/blockquote>\n