Dark Web News

American Food delivery platform DoorDash has disclosed a DoorDash cybersecurity incident after an unauthorized third party accessed certain user information through a targeted social engineering attack. The company confirmed that the DoorDash data breach affected an unspecified number of users but clarified that no sensitive or financial information was accessed. According to DoorDash’s public statement, the incident began when a company employee was manipulated into granting access through a social engineering scam. This reflects a rising trend where attackers exploit human behavior rather than system weaknesses, posing significant risks even to companies with mature cybersecurity programs. DoorDash Cybersecurity Incident: Social Engineering Identified as the Root Cause The company revealed that threat actors did not rely on malware or exploit software vulnerabilities. Instead, they used deceptive tactics to influence an employee and gain initial access. This form of attack continues to challenge organizations, as technical security controls often cannot prevent human error. DoorDash stated that its response team quickly identified the data breach, shut down unauthorized access, and initiated an internal investigation. The company has also referred the matter to law enforcement. What Information Was Accessed in DoorDash Data Breach DoorDash confirmed that some users, spanning consumers, Dashers, and merchants, were impacted. The type of user information accessed varied and may have included: First and last name Phone number Email address Physical address The company emphasized that no sensitive information such as Social Security numbers, government-issued IDs, driver’s license details, bank information, or payment card data was compromised in DoorDash cybersecurity incident. DoorDash added that it has no evidence of fraud, identity theft, or misuse of the accessed information. DoorDash Response and Security Enhancements Following the DoorDash cybersecurity incident, the company implemented several measures to strengthen its cybersecurity posture. These steps include: Deploying new security system enhancements to detect and block similar malicious activities Increasing employee security awareness training focused on social engineering threats Engaging an external cybersecurity firm to assist in the investigation and provide expert guidance Coordinating with law enforcement for ongoing inquiry DoorDash reiterated its commitment to improving user security, stating that it strives to “get 1% better every day” and protect user privacy through continuous improvements. User Notifications and Support The company noted that affected users have been notified where required under applicable laws. To address concerns and questions, DoorDash has set up a dedicated call center available in English and French for users in the U.S., Canada, and international regions. Users seeking more information can contact the hotline using reference code B155060. DoorDash also clarified that customers of Wolt or Deliveroo were not impacted by this incident, as the breach was limited exclusively to DoorDash systems and data. Guidance for Users While no sensitive data was compromised, DoorDash advised users to remain cautious of unsolicited communications requesting personal information. The company warned users to avoid clicking suspicious links or downloading unexpected attachments, as such tactics are commonly used in social engineering attacks. DoorDash stated that users do not need to take any immediate action to protect their accounts, as the compromised information was limited to basic contact details and there is no evidence of misuse.

Federal prosecutors in the United States have charged three individuals for allegedly carrying out a series of ransomware attacks targeting five U.S. companies using BlackCat ransomware, also known as ALPHV, between May and November 2023. The attacks reportedly aimed to extort large sums from the victims, including medical, engineering, pharmaceutical, and technology organizations. Insiders Accused of Orchestrating Ransomware Attacks Kevin Tyler Martin and another accomplice, referred to in court documents as “Co-Conspirator 1,” were employed at the time as ransomware negotiators for DigitalMint, a Chicago-based company that specializes in mitigating cyberattacks. Ryan Clifford Goldberg, an incident response manager at Sygnia Cybersecurity Services, was also indicted in the scheme.  The Chicago Sun-Times first reported the charges, highlighting the unusual circumstances in which employees of a firm tasked with resolving ransomware attacks allegedly engaged in their own cybercrimes. “Employees of DigitalMint, a company that specializes in negotiating ransoms in cyberattacks, were part of a small crew, the feds say conducted five hacks that scored more than $1 million,” the outlet reported.  Timeline and Targets of BlackCat Ransomware Attacks Prosecutors claim the group began deploying BlackCat ransomware in May 2023. The first target was a medical company in Florida, whose servers were locked with a ransom demand of $10 million. Court records indicate that the attack ultimately netted $1.2 million, which was routed through cryptocurrency mixers to conceal the transaction. Subsequent targets included a Maryland-based pharmaceutical company, a California doctor’s office with a $5 million demand, an engineering company in California with a $1 million demand, and a Virginia drone manufacturer with a $300,000 demand.  According to FBI documents, Goldberg initially denied involvement when interviewed in June 2025 but later admitted that the unnamed co-conspirator had recruited him. He stated his motivation stemmed from personal debt and fears of federal prison, and he described how the illicit funds were transferred through multiple cryptocurrency wallets to hide the digital trail.  Both DigitalMint and Sygnia have publicly stated they were not targets of the investigation and have cooperated fully with law enforcement. DigitalMint confirmed it terminated the employees involved, emphasizing that the alleged attacks occurred outside its systems and did not compromise client data. Sygnia noted that Goldberg was no longer employed by the firm.  Legal Proceedings and Potential Consequences Martin and Goldberg were indicted on October 2, 2025, on multiple charges, including conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce, and intentional damage to protected computers. Goldberg has been taken into custody, while Martin was released on a $400,000 bond. Both face a potential maximum sentence of 50 years in federal prison.  The timeline of attacks, according to court documents, includes:  May 13, 2023: Attack on the Florida medical device company; $1.274 million paid in cryptocurrency.  May 2023: Attack on an unspecified firm, ransom demand unknown.  July 2023: Attack on the California doctor’s office; $5 million ransom demand.  October 2023: Attack on the California engineering company; $1 million ransom demand.  November 2023: Attack on the Virginia drone manufacturer; $300,000 ransom demand.  While Martin has pleaded not guilty, Goldberg allegedly admitted to participating in the attacks in coordination with the co-conspirator to “ransom some companies.” The third individual involved has not been indicted.  The FBI warns that malicious software like BlackCat ransomware can encrypt files on local drives, networked computers, and attached devices, with victims often coerced into paying ransoms to regain access to critical systems. 

Cyble Research and Intelligence Labs (CRIL) have uncovered a cyber-espionage operation that used a weaponized ZIP archive to infiltrate defense-sector systems. The malicious file—disguised as a Belarusian military document titled “ТЛГ на убытие на переподготовку.pdf” (“TLG for departure for retraining.pdf”)—delivered a highly advanced backdoor capable of establishing covert access through SSH and Tor.  The campaign specifically leveraged the Belarusian military theme to deceive personnel linked to Special Operations Command and those specializing in UAV or drone operations. CRIL’s findings suggest the attack aimed to gather intelligence about the region’s unmanned aerial capabilities or possibly mask the attacker’s true identity through a false-flag narrative.  This operation builds on methods first observed in the December 2024 “Army+” campaign, previously attributed to the Sandworm group (APT44/UAC-0125). The October 2025 version shows notable technical evolution, employing improved obfuscation, operational security, and anonymization measures.  Infection Chain and Anti-Detection Measures  The malicious ZIP archive was carefully constructed to evade both human suspicion and automated detection. Inside the ZIP archive, the victim would find an LNK shortcut masquerading as a PDF file and a hidden folder named “FOUND.000” containing another compressed file, persistentHandlerHashingEncodingScalable.zip. When executed, the LNK shortcut launched an obfuscated PowerShell script instead of opening a legitimate document.  The PowerShell payload extracted files to the %appdata%\logicpro directory and ran additional code that maintained stealth through obfuscation and environmental awareness. Before executing, it checked that the infected system contained at least ten recent shortcut files and fifty or more running processes—conditions typical of real user environments but not sandboxes. If these checks fail, the script terminates, effectively bypassing automated malware analysis systems.  While the decoy PDF was opened to distract the victim, the malware silently proceeded to install persistent services in the background.  Scheduled Tasks, Persistence, and Backdoor Setup  Persistence was achieved through scheduled tasks created using XML templates extracted from the ZIP archive. Two tasks were registered: one to deploy OpenSSH for Windows (renamed as githubdesktop.exe) and another to run a modified Tor client (renamed as pinterest.exe).  The OpenSSH binary established a local SSH service on port 20321 using only RSA key-based authentication, disabling passwords entirely. The authorized keys and configuration files were stored in hidden directories under AppData\Roaming\logicpro. In parallel, the Tor service created a hidden .onion address and forwarded several critical ports:  SSH (20322 → 127.0.0.1:20321)  SMB (11435 → 127.0.0.1:445)  RDP (13893 → 127.0.0.1:3389)  To conceal traffic, the malware employed the obfs4 protocol, disguising Tor communications as legitimate network traffic. Two bridge relays—77.20.116.133:8080 and 156.67.24.239:33333—served as entry points into the Tor network.  Once connected, the malware generated a unique .onion hostname and sent it to the attacker’s command-and-control server via a curl command routed through the Tor SOCKS5 proxy. The command used 1,000 retries with three-second intervals to ensure successful data delivery. This process gave the attacker continuous, anonymous access to the compromised host.  Attribution, Impact, and Defensive Measures  CRIL’s analysis confirmed that the backdoor allowed full remote access through SSH, RDP, SFTP, and SMB channels, all tunneled through Tor for anonymity. Analysts verified the backdoor’s functionality by establishing a controlled SSH session using the embedded RSA keys and proxy configuration. No secondary payloads or lateral movements were detected, suggesting the attackers were in the reconnaissance phase.  The October 2025 sample closely resembles techniques used in the December 2024 Army+ campaign attributed to Sandworm (APT44). The overlap includes double-extension lures, scheduled task persistence, and the integration of OpenSSH and Tor for covert tunneling. Sandworm, associated with Russia’s GRU Unit 74455, has a long history of targeting Ukraine’s infrastructure, including the BlackEnergy attacks in 2015, the NotPetya outbreak in 2017, and a 2023 breach of Kyivstar.  Despite these similarities, CRIL maintains moderate confidence in linking this operation directly to Sandworm. The Belarusian military focus could reflect either an intelligence-gathering mission or a deliberate misdirection tactic.  To mitigate such threats, CRIL recommends that defense organizations:  Strengthen email filtering to detect nested or double-extension ZIP archives.  Train personnel to verify document authenticity through secondary channels.  Deploy a behavioral endpoint detection capable of flagging suspicious PowerShell activity and unauthorized scheduled tasks.  Block or monitor Tor and obfs4 traffic at the network level.  Audit SSH key usage and identify any OpenSSH instances running on non-standard ports. 

The Asia-Pacific (APAC) region is seeing a rapid surge in number of cyberattacks aimed at its enterprises’, a new report suggests. According to Barracuda’s SOC Threat Radar report, threat actors are intensifying their efforts against vulnerable VPN infrastructure and Microsoft 365 accounts, and using Python scripts to launch attacks stealthily.   The Akira ransomware group, in particular, has accelerated its growth, exploiting outdated or improperly patched systems with speed and precision.  Akira Exploits SonicWall VPN Vulnerability  The Akira group is reportedly leveraging a known vulnerability, CVE-2024-40766, in SonicWall VPN devices. Though this security flaw was patched months ago, many organizations have failed to apply the update or reset credentials for post-patching. This oversight is proving costly.  In several incidents, attackers have used stolen credentials (likely harvested before patches were applied) to intercept one-time passwords (OTPs), enabling them to bypass multi-factor authentication (MFA), even on patched systems. The attackers generate valid login tokens, which allow them to sidestep MFA protections entirely.  Barracuda first issued a security advisory regarding this threat in August 2020. Despite awareness, attacks continue at a steady pace, particularly in Australia and other APAC nations. Researchers stress that Akira can quickly escalate from initial infection to file encryption. They have also observed Akira using legitimate remote monitoring and management (RMM) tools to disable security software and backup systems, effectively sabotaging recovery efforts.  Conditions That Increase Risk  Organizations are particularly vulnerable if they:  Have not applied the latest SonicWall VPN patch  Failed to reset passwords after patching  Maintain old, unused, or legacy accounts  Use high-access service accounts with non-rotated credentials  Recommended countermeasures include:  Running vulnerability scans to detect unpatched VPNs  Upgrading to SonicOS 7.3.0 or later  Resetting all VPN-related credentials  Removing unused or legacy accounts  Restricting VPN access by IP address  Monitoring for unusual login activity, particularly from unfamiliar countries or service providers  “If you think there is any chance that your credentials or OTPs have been exposed, act fast,” the report warns. “Reset all passwords, switch to phishing-resistant MFA like FIDO2 security keys, and check VPN logs for irregular access patterns.”  Malicious Python Scripts Evade Detection  Another worrying trend highlighted in the report is the growing use of Python scripts to deploy hacking tools under the radar. Barracuda’s security operations center (SOC) analysts have seen attackers automate credential stuffing, use Mimikatz (a tool to steal passwords), and abuse PowerShell, all orchestrated via Python programs.  The use of Python allows threat actors to:  Automate attacks, increasing their speed and efficiency  Disguise malicious processes as legitimate activity  Execute multiple operations simultaneously, such as data exfiltration while scanning for vulnerabilities  This level of automation reduces the need for manual execution, making it harder for conventional security tools to detect malicious actions in time.  Recommendations to Mitigate Script-Based Attacks  Organizations are urged to:  Deploy endpoint protection tools capable of detecting Python-based threats  Regularly update software and operating systems  Enforce strict password policies and consistent MFA usage  Provide ongoing cybersecurity awareness training to staff  Microsoft 365 Accounts Targeted  A third major concern identified is the spike in unusual login activity targeting Microsoft 365 accounts, particularly in Australia, where nearly 150,000 organizations use the platform. These suspicious logins typically originate from unexpected locations, devices, or time zones, clear indicators of compromised credentials.  The appeal of Microsoft 365 lies in its widespread use and deep integration into business workflows. Once attackers gain access to a user account, they can:  Sell credentials to other cybercriminals (e.g., initial access brokers)  Move laterally within the organization’s network  Steal sensitive data such as emails, files, and communications  Send malicious emails from compromised accounts to carry out further attacks  Signs of Vulnerability and Mitigation Steps  Organizations face heightened risk if they:  Publicly list staff from finance, HR, or IT on websites  Don’t enforce strong password policies or MFA  Lack of monitoring for anomalous login behavior  Fail to educate employees about phishing and credential theft  To defend against Microsoft 365 account compromises, Barracuda recommends:  Enabling MFA for all users  Limiting permissions and access levels  Blocking access from high-risk locations or unknown devices  Installing cloud security monitoring tools  Conducting regular security training and login pattern analysis 

Scattered Spider has shifted its operational strategy, moving away from chaotic data leaks toward a more structured and professional model of cybercrime. Now functioning as a hybrid of Ransomware-as-a-Service (RaaS) and insider threat operations, the group is building a network of internal collaborators within some of the world’s largest tech and telecom companies, including Microsoft and Apple.  Scattered Spider Shifts from Loud Hacks to Quiet Access Deals  Once known for their high-profile breaches and attention-grabbing leaks, Scattered Spider and its affiliated groups, LAPSUS$, ShinyHunters, and the umbrella Scattered LAPSUS$ Hunters, have turned toward access brokerage. Instead of simply exfiltrating data, they’re actively buying and selling privileged access to corporate systems.  The group is now recruiting insiders across key industries: telecommunications, cloud software, gaming, server hosting, and business process outsourcing. Target companies include names like Microsoft, Apple, IBM, EA, Claro, Telefónica, OVH, and others in the US, UK, Australia, Canada, and France.  According to recent posts from the group, they are offering 25% of profits for insider access to Active Directory (AD) systems, and 10% for access to identity platforms like Okta, Azure, or AWS IAM root credentials. This represents a move toward a more profit-sharing, affiliate-based model, where insiders are treated as partners in crime rather than simple data sources.  “We Already Have the Data. We Need Access.”  A public statement by the group reads:  “We already have the data. We need access.”  This illustrates their transition from opportunistic hacking to a more calculated form of cyber extortion, aimed at gaining continuous footholds within high-value environments.  They also offered to purchase remote access tools like VPN credentials, Citrix sessions, and AnyDesk installations, which they then resell to ransomware affiliates for further exploitation.  One of their more detailed dark web posts—titled “SLSH 6.0 part 3 – lapsus$hiny$scattere…”, called for insiders to submit evidence of access, including SSH keys, OpenLDAP logs, and system network configurations. The group sets clear rules for participation: no companies under $500 million in revenue, and no targets from countries like Russia, China, North Korea, or Belarus.  Salesforce, Microsoft, Apple Among Targeted Firms  The Scattered LAPSUS$ Hunters have recently launched a new dark web leak site as part of their extortion efforts, following breaches at Salesloft and Salesforce. As of early October 2025, they claim to have compromised approximately 40 companies, with threats to release full datasets unless ransoms are paid by October 10.  Salesforce responded publicly on October 2, stating:  “There is no indication that the Salesforce platform has been compromised… Our findings indicate these attempts relate to past or unsubstantiated incidents.”  Still, the group continues to threaten legal consequences, claiming to have stolen nearly 1 billion records containing sensitive personally identifiable information (PII). They’ve named Berger Montague, a law firm known for data privacy litigation, as a potential partner in civil action against Salesforce if demands are not met.  They also threatened to expose regulatory violations under GDPR, CCPA, HIPAA, and other privacy laws. In one statement, the group said:  “We will be submitting a full document… how your company as a data controller… could have prevented such intrusions.”  Criticism of the Cloud Security Model  In comments to The Cyber Express, the group criticized the “shared responsibility” model of cloud security. They argued that Salesforce, like other platforms, shifts too much of the security burden onto customers.  “Salesforce is saying ‘yeah you can use our services but when it comes to security you have to deal with most of it yourself.’”  They further claimed that the use of known threat indicators—such as Mullvad VPN and TOR IPs—could have been blocked using basic YARA rules yet weren’t.  The leak site showcases the group’s aggressive tactics, listing household names like Microsoft, Apple, Google AdSense, Cisco, Toyota, FedEx, Disney/Hulu, UPS, McDonald’s, KFC, Instacart, Chanel, Adidas, Air France/KLM, and more. 

Australia’s strong economy and high per-capita wealth have made it a prime target for ransomware groups, with the country facing a disproportionate number of attacks compared to many other nations.  In 2025 alone, Australian organizations have been hit by 71 ransomware incidents, far exceeding the nine attacks recorded in neighboring New Zealand. Despite the difference in volume, both countries have seen ransomware activity this year, including attacks with notable supply chain implications.  Globally, ransomware attacks tend to be more frequent in regions like the U.S., Canada, and Europe. However, when adjusted for population size, Australia’s ransomware threat is particularly acute.  For example, Italy has been hit by 118 ransomware incidents so far in 2025, the fifth highest worldwide, yet Italy’s population is more than twice that of Australia. With Australia ranked 13th globally in GDP but only 55th in population, its economic prosperity has positioned it as an especially lucrative target for ransomware groups seeking financial gain. Unlike many regions where a single ransomware group dominates, the ransomware landscape in Australia and New Zealand is more fragmented. The groups Qilin, Akira, and INC have each claimed responsibility for eight attacks in the region this year, with Lynx and Dragonforce also actively involved. The most frequently targeted sectors in Australia and New Zealand are professional services and healthcare. However, at least eight other industries have experienced three or more ransomware incidents in 2025.  Major Ransomware Attacks in Australia and New Zealand in 2025 Several notable ransomware incidents have made headlines across Australia and New Zealand this year, involving various industries and extensive data breaches:  Akira Ransomware Group: Responsible for attacking an Australian company specializing in operational technology (OT) and industrial control systems (ICS). The group claimed to have stolen 10GB of corporate data, including sensitive employee documents such as passports, driver’s licenses, medical records, birth and death certificates, alongside contracts, financial records, and project files.  Australian Political Party Breach: In June 2025, a ransomware attack compromised an Australian political party’s servers. The attackers accessed email correspondence, documents, phone numbers, identity records, banking details, and employment history.  Dragonforce Group: Leaked over 100GB of data from an Australian engineering firm. The stolen information included site reports, customer data, detailed technical equipment drawings, and employee medical records.  Arcus Media: Claimed an attack on an Australian IT company that develops flight simulation and aviation training software. While no data samples were released, the incident raised concerns over aviation-related cybersecurity.  VanHelsing Ransomware: Targeted an Australian medical technology company focusing on sleep diagnostics and neurological monitoring. The group shared evidence, including U.S.-based staff passport scans, credit applications, product and testing data, and employee information.  RansomHub Group: Claimed a breach of an Australian pharmaceutical firm engaged in healthcare product manufacturing and distribution, alleging theft of 40GB of sensitive data.  Akira: Akira also claimed to breach an Australian process engineering company, resulting in the theft of 26GB of data, including employee and customer contact details, internal communications, and financial documents.  Qilin Group: Targeted an Australian steel industry company, reportedly stealing 11GB of data covering over 23,000 files, including financial documents and internal correspondence.  Play Ransomware Group: Attacked a New Zealand-based SaaS company specializing in billing solutions. Though the volume of stolen data was not disclosed, it reportedly included confidential client information, budgets, payroll, tax records, and identification documents.  Chaos Ransomware: Leaked nearly 3GB of data from an international instrumentation company operating significantly in New Zealand. The compromised files included technical manufacturing details such as PCB corrections, SMT programming, and RoHS compliance information.  The Unique Threat Environment in Australia and New Zealand Australia and New Zealand face a distinct ransomware threat, with Australia experiencing numerous attacks across various sectors and multiple active ransomware groups. New Zealand’s interconnectedness through global supply chains also exposes it to cybersecurity risk. To effectively counter these cyber threats, organizations must adopt strong cybersecurity measures such as zero trust models, asset segmentation, and continuous monitoring. Platforms like Cyble’s AI-native cybersecurity solutions provide real-time threat intelligence, proactive attack surface management, and autonomous incident response. 

The Pakistani government has launched an urgent investigation following reports of a massive data leak involving SIM holders’ personal information, including that of Interior Minister Mohsin Naqvi. The leaked SIM data, reportedly being sold openly online, has sparked national concern over digital security and privacy.  The Ministry of Interior confirmed in an official press release that Minister Naqvi had taken immediate notice of the situation and ordered the formation of a special investigation team. The National Cyber Crimes Investigation Agency, acting on the minister’s directives, has constituted this team with a strict deadline to complete its probe and submit findings within 14 days.  The team will thoroughly examine the circumstances, and those involved in the data leakage will be identified and brought to justice through legal action,” the press release stated.  SIM Data Being Sold Online for Pennies  According to media reports, the breach involves the sale of sensitive SIM data on Google platforms. It is claimed that the mobile location of individuals is being sold for Rs 500, mobile data records for Rs 2,000, and even details of foreign trips for Rs 5,000. Disturbingly, these illicit transactions include data related to government officials and private citizens alike, reported Pakistani English-language newspaper Dawn. This news comes just months after the Pakistan National Cyber Emergency Response Team (PKCERT) issued a dire warning about a global data breach that affected more than 180 million Pakistani internet users. PKCERT identified a publicly accessible, unencrypted database containing over 184 million unique account credentials, including usernames, emails, and passwords.  The data, linked to social media services, banking institutions, healthcare platforms, and government portals, had been stolen using infostealer malware. This malicious software extracts sensitive data from infected systems. The stolen information was stored without any encryption or password protection, making it easily exploitable.  “The leaked database is believed to have been compiled using infostealer malware… This data was stored in plain text and left completely unprotected,” the advisory noted.  PKCERT, the federal agency responsible for protecting Pakistan’s digital assets and critical infrastructure, warned that the breach could lead to:  Credential stuffing attacks  Identity theft  Unauthorized access to sensitive accounts  Targeted phishing and social engineering  Malware deployment using stolen credentials  The advisory urged citizens, especially SIM holders, to change their passwords regularly and use credible online tools to check for data breaches.  Previous Breaches Raise Questions About Data Security  This is not the first high-profile breach of sensitive Pakistani data. In March 2024, a Joint Investigation Team (JIT) reported to the Interior Ministry that the credentials of 2.7 million people were compromised between 2019 and 2023 in a separate incident involving the National Database and Registration Authority (NADRA).  The overlapping timelines and repeated breaches have raised serious questions about the effectiveness of digital security protocols in Pakistan. With the increasing digital footprint of citizens, including the widespread use of mobile phones and SIM cards, the protection of SIM data and related personal information is more important than ever.  As the investigation ordered by Interior Minister Naqvi unfolds, public attention will remain focused on both the Interior Ministry and PKCERT to ensure accountability, transparency, and most importantly, stronger data protection mechanisms for Pakistan’s millions of SIM holders. 

A newly discovered Android malware, dubbed SikkahBot, is actively targeting students in Bangladesh by posing as official applications from the Bangladesh Education Board. This malware campaign, identified by Cyble Research and Intelligence Labs (CRIL), has been in operation since July 2024.  According to CRIL, the SikkahBot malware is distributed through shortened URLs, including links like bit[.]ly/Sikkahbord, apped[.]short[.]gy, and downloadapp[.]website/tyup[.]apk. These URLs are likely spread through smishing attacks, tricking victims into downloading malicious APK files under the pretense of scholarship applications from government bodies.  Once installed, the fake apps prompt users to log in using their Google or Facebook accounts and request personal details such as name, department, and institute. It then demands financial information, including wallet numbers, wallet PINs, and payment methods. After submission, a fake message informs the victim that a representative will contact them soon, a ploy to buy time while the malware begins its work in the background.  SikkahBot Malware: Permissions Abuse and Automated Banking Fraud  What sets SikkahBot apart is its aggressive abuse of Android permissions. Upon installation, it pushes users to grant high-risk access, including the Accessibility Service, SMS access, call management, and the ability to draw over other apps. These permissions allow it to monitor and manipulate user activity with deep control over the device.  Permission Activity (Source: Cyble) Once these permissions are granted, the malware activates a fake homepage showing doctored images of students supposedly receiving scholarships, part of its social engineering strategy to establish legitimacy.  Behind the scenes, SikkahBot registers a broadcast receiver to intercept all incoming SMS messages. It specifically targets keywords related to mobile banking services widely used in Bangladesh, such as “bKash,” “Nagad,” and “MYGP,” as well as associated service numbers like “16216” and “26969.” Captured messages are then sent to an attacker-controlled Firebase server at update-app-sujon-default-rtdb[.]firebaseio.com.  Accessibility Exploits and Offline USSD Transactions  The malware’s exploitation of the Accessibility Service is particularly dangerous. When it detects that a user is interacting with banking apps such as bKash, Nagad, or Dutch-Bangla Bank, it pulls credentials from its command-and-control server. It attempts to autofill login details, bypassing user input entirely.  Login and registration page (Source: Cyble) If the user isn’t actively using these apps, SikkahBot initiates USSD-based banking transactions. It receives USSD codes and SIM slot information from the server, executes the calls, and automatically interacts with response prompts by clicking on UI elements labeled “SEND” or “OK.” This method allows transactions without requiring internet access, increasing the malware’s reach and reliability in low-connectivity environments.  Evasion and Evolution  Despite its high-risk behavior, SikkahBot malware variants maintain low detection rates on VirusTotal, a factor that highlights the malware’s obfuscation techniques and the attackers’ continued refinement. CRIL reports that more than 10 distinct samples have been discovered, with newer versions incorporating more automated features and sophisticated command execution methods.  “The combination of phishing, automated banking activity, and offline USSD exploitation makes it a highly effective tool for financial fraud against unsuspecting students,” CRIL stated in its technical analysis.  Recommendations for Protection  To protect against malware campaigns like SikkahBot, CRIL stresses the need for improved mobile security awareness and proactive defense strategies. Their key recommendations include: Install apps only from trusted sources such as the Google Play Store.  Avoid clicking on shortened or suspicious links, especially those received via SMS or social media.  Limit permissions: Do not grant Accessibility or overlay permissions unless absolutely necessary and verified.  Enable Multi-Factor Authentication (MFA) for financial apps.  Use mobile security software that includes real-time threat detection.  Keep Android OS and apps up to date to patch known vulnerabilities.  Report suspicious activity immediately to your bank and perform a factory reset if necessary.  Cyble’s Threat Intelligence Platform continues to monitor emerging malware like SikkahBot, providing early detection capabilities, infrastructure tracking, and threat attribution. As digital fraud increases in complexity and scope, constant vigilance and cybersecurity hygiene remain the first lines of defense.