ThreatsDay Bulletin: $15B Crypto Bust, Satellite Spying, Billion-Dollar Smishing, Android RATs & More

The U.S. government has seized $15 billion (approximately 127,271 bitcoin) worth of cryptocurrency assets from one of the world’s largest operators of forced-labor scam compounds across Cambodia, Myanmar, and Laos, which are known to conduct romance baiting (aka pig butchering or Shā Zhū Pán) schemes to defraud victims under the pretext of increased returns. The perpetrators, operating from the scam compounds under the threat of violence, often built relationships with their victims over time, earning their trust before stealing their funds. The Department of Justice (DoJ) unsealed an indictment against the Prince Group and its 38-year-old CEO, Chen Zhi (aka Vincent). “Individuals held against their will in the compounds engaged in cryptocurrency investment fraud schemes, known as ‘pig butchering’ scams, that stole billions of dollars from victims in the United States and around the world,” the DoJ said. “Trafficked workers were confined in prison-like compounds and forced to carry out online scams on an industrial scale, preying on thousands worldwide.” Zhi, the alleged kingpin behind the sprawling cybercrime empire, is at large. The department also said the seized funds represent “proceeds and instrumentalities of the defendant’s fraud and money laundering schemes” and were stored in unhosted cryptocurrency wallets whose private keys the defendant had in his possession. The compounds operated out of casinos and luxury hotels owned by the Group. Some of the stolen proceeds were spent on luxury goods, including yachts, private jets, art, and even a Picasso painting. In tandem, the U.S. and the U.K. designated Prince Group as a transnational criminal organization and announced sanctions against the defendant. Other proxy organizations targeted by the sanctions include Jin Bei Group, Golden Fortune Resorts World, and Byex Exchange. Elliptic said the $15 billion seized by the U.S. was “stolen” in 2020 from LuBian, a bitcoin mining business with operations in China and Iran. LuBian, per the blockchain analytics company, was one of the ostensibly legal business enterprises overseen by Prince Group. “Pig butchering has exploded into an industrialized fraud economy generating tens of billions of dollars annually,” Infoblox said. “Sophisticated Asian crime syndicates have proven adept at spinning up hundreds of disposable websites in minutes, overwhelming governments that cannot detect or block them fast enough to shield victims.”

Kaspersky has revealed that the newly discovered banking trojan dubbed Maverick targeting Brazilian users using a WhatsApp worm named SORVEPOTEL shares many code overlaps with Coyote. “Once installed, the trojan uses the open-source project WPPConnect to automate the sending of messages in hijacked accounts via WhatsApp Web, taking advantage of the access to send the malicious message to contacts,” the Russian security vendor said. “The Maverick trojan checks the time zone, language, region, and date and time format on infected machines to ensure the victim is in Brazil; otherwise, the malware will not be installed.” The malware monitors victims’ access to 26 Brazilian bank websites, six cryptocurrency exchange websites, and one payment platform to facilitate credential theft. It also comes with capabilities to fully control the infected computer, take screenshots, install a keylogger, control the mouse, block the screen when accessing a banking website, terminate processes, and open phishing pages in an overlay. Kaspersky said it has blocked 62,000 infection attempts using the malicious LNK file shared via WhatsApp in the first 10 days of October, only in Brazil, indicating a large-scale campaign.

A new study from a team of academics from the University of Maryland and the University of California, San Diego has found that it’s possible to intercept and spy on 39 geostationary satellite communications traffic from the U.S. military, telecommunications firms, major businesses, and organizations using a consumer-grade satellite dish installed on the roof of their building. Intercepted data comprised mobile carrier calls and text messages, VoIP call audio, login credentials, corporate emails, inventory records, and ATM networking information belonging to retail, financial, and banking companies, military and government secrets associated with coastal vessel surveillance, and web browsing activities of in-flight Wi-Fi users. “A shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens’ voice calls and SMS, and consumer Internet traffic from in-flight wifi and mobile networks,” the researchers said. “This data can be passively observed by anyone with a few hundred dollars of consumer-grade hardware.” Following disclosure, T-Mobile has moved to encrypt its satellite communications.

Hundreds of users are estimated to have had their sensitive information stolen through a compromised website belonging to video game software development company Unity Technologies. The malicious skimmer, injected into the checkout page of Unity SpeedTree, was designed to harvest the information entered by individuals who made purchases on the SpeedTree site, including name, address, email address, payment card number, and access code. According to a filing with the Maine Attorney General’s Office, the incident impacted 428 individuals. The affected customers are being notified and offered free credit monitoring and identity protection services. The breach was discovered on August 26, 2025.

Smishing campaigns carried out by Chinese cybercrime groups that distribute fake SMS messages to U.S. users about package deliveries and toll road payments have made more than $1 billion over the last three years, The Wall Street Journal reported, citing the Department of Homeland Security. The scam, made possible via phishing kits sold on Telegram, is designed to steal victims’ credit card details and then use them in Google and Apple Wallets in Asia and the U.S. to make unauthorized purchases, such as gift cards, iPhones, clothing, and cosmetics. The messages are sent via SIM farms, with about 200 SIM boxes operating in at least 38 farms across the U.S. According to Proofpoint, as many as 330,000 toll scam messages were sent to Americans in a single day last month. A previous report from SecAlliance in August 2025 noted that Chinese smishing syndicates may have compromised between 12.7 million and 115 million payment cards in the U.S. alone between July 2023 and October 2024. The criminal ecosystem has since evolved to include the sale of pre-positioned devices loaded with stolen cards, indicating an evolution of the monetization strategy.

A sophisticated campaign targeting macOS users has employed fake Homebrew installer websites (homebrewfaq[.]org, homebrewclubs[.]org, and homebrewupdate[.]org) that deliver malicious payloads. The attack exploits the widespread trust users place in the popular Homebrew package manager by creating pixel-perfect replicas of the official brew[.]sh installation page, and combining it with deceptive clipboard manipulation techniques. The spoofed sites incorporate hidden JavaScript designed to inject additional commands into users’ clipboards without their knowledge during the installation phase when unsuspecting users attempt to copy the command to install the tool. It’s assessed that the attack chain is being used to deliver Odyssey Stealer. Previous campaigns have used fake Homebrew pages to trick users into installing Cuckoo Stealer.

The U.K.’s National Cyber Security Centre (NCSC) reported 204 “national significant” cyber incidents between September 2024 and August 2025. The number represents an 130% increase compared to the previous year, when U.K. organizations faced 89 incidents of such high impact. Of these, 18 were classified as highly significant incidents. The disclosure comes as Bloomberg revealed that Chinese state actors systemically and successfully compromised classified U.K. government computer systems for more than a decade, accessing low- and medium-level classified information. The data accessed included confidential documents relating to the formulation of government policy, private communications, and some diplomatic cables, the report added.

Around 200,000 Linux computer systems from American computer maker Framework have been found to be shipped with signed UEFI shell components that could be exploited to bypass Secure Boot protections. An attacker could take advantage of the issues to load bootkits that can evade operating system-level security controls and survive re-installs of the operating system. The vulnerabilities have been codenamed BombShell by Eclypsium. “At the heart of this issue is a seemingly innocent command: mm (memory modify),” the firmware security company said. “This command, present in many UEFI shells, provides direct read and write access to system memory. While this capability is essential for legitimate diagnostics, it’s also the perfect tool for bypassing every security control in the system.” Framework has released security updates to address the vulnerabilities.

Cybercriminals have unleashed a sophisticated phishing campaign targeting Colombian users through deceptive judicial notifications, deploying a complex multi-stage malware delivery system that culminates in delivery of AsyncRAT. The attack campaign employs carefully crafted Spanish-language emails impersonating official correspondence from the Colombia court system, informing recipients of purported lawsuits filed against them and tricking them into opening SVG file attachments that lead to fake landing pages so as to download the document, which is an HTML Application responsible for activating a series of interim payloads to deploy AsyncRAT.

Google has added new protections to Google Messages and account recovery methods to secure people against scams. This includes the ability to block users from visiting links shared on Messages that have been flagged as spam, unless users explicitly mark the texts as “not spam.” The company has also added the option to regain access to the Google Account by means of a “Sign in with Mobile Number” option. “All you need is the lock-screen passcode from your previous device for verification, no password needed,” it said. Another new feature includes Recovery Contacts, which allows users to choose trusted friends or family members to make it easier to recover access to the account in case it gets locked out due to a device being stolen. Last but not least, Google said it’s also making the Key Verifier available to all Android 10+ users for an extra layer of security when chatting via Google Messages by ensuring that users are communicating with the person they intend to and not somebody else.

A C# malware loader called PhantomVAI Loader is being distributed via phishing emails bearing shipment lures to deliver stealers and remote access trojans like AsyncRAT, XWorm, Formbook, and DCRat. “The loader initially used in these campaigns was dubbed Katz Stealer Loader [aka VMDetectLoader], for the Katz Stealer malware that it delivers,” Palo Alto Networks Unit 42 said. “Hackers are selling this new infostealer on underground forums as malware as a service (MaaS).” Phishing campaigns deploying PhantomVAI Loader have targeted a wide spectrum of sectors globally, including manufacturing, education, utilities, technology, healthcare, and government. The phishing emails contain zipped JavaScript or Visual Basic Script files that launch PowerShell, responsible for dropping the loader in the form of a GIF image, which then proceeds to run virtual machine checks, establish persistence, and inject MSBuild.exe with the next-stage payload using a technique called process hollowing.

A nascent toolkit named Whisper 2FA has emerged as the third most common phishing-as-a-service (PhaaS) after Tycoon and EvilProxy. Barracuda said it has detected close to a million Whisper 2FA attacks targeting Microsoft accounts in multiple huge phishing campaigns in the last month. Whisper 2FA has been found to share similarities with another PhaaS kit named Salty 2FA. “Whisper 2FA’s defining trait is its ability to steal credentials multiple times through a real-time credential exfiltration loop enabled by a web technology known as AJAX (Asynchronous JavaScript and XML),” security researcher Deerendra Prasad said. “The attackers keep the loop going until they obtain a valid multi-factor authentication token.” The phishing kit is assessed to be under active development, with the authors progressively adding more layers of obfuscation and protections to block debugging tools and crash browser inspection tools. “As phishing kits like this continue to evolve, organizations need to move past static defenses and adopt layered strategies: user training, phishing-resistant MFA, continuous monitoring, and threat intelligence sharing,” Prasad added.

The Scattered Lapsus$ Hunters (SLSH) cybercrime group, comprised primarily of English-speaking teenagers combining elements of Scattered Spider, LAPSUS$, and ShinyHunters, has announced it will go dark until 2026 following the FBI’s seizure of its clearnet data leak site. “As per the exceptional circumstances by which the FBI tried to obliterate our legacy, we’ve exceptionally decided to temporarily renounce to oblivion [sic] and promptly hack them back,” one member wrote on October 11. “We shall now dissolve again in the ether. Good night.” In a follow-up message, it said: “I promise you, you will feel our wrath.” The extortion crew has since published data allegedly belonging to six of the 39 targeted companies, including Qantas, Albertsons, GAP, Vietnam Airlines, Fujifilm, and Engie Resources, per DataBreaches.net.

Cybersecurity researchers have documented a rise in cyber attacks exploiting remote monitoring and management (RMM) tools for initial access via phishing email alerts warning of fake login to recipients’ ConnectWise ScreenConnect instances. Advanced persistent threat (APT) groups and ransomware crews have leveraged legitimate RMM platforms, including AnyDesk, ScreenConnect, UltraViewer, AppAnywhere, RustDesk, CloneDesk, Splashtop, and TightVNC, to gain unauthorized control of systems. The researchers found that threat actors are also exploiting ScreenConnect’s legitimate features, such as unattended access and interactive desktop control, to establish persistence and move laterally within compromised networks. “Their administrative power, combined with custom installers, invite links, and public URLs, makes them high-value targets,” DarkAtlas said.

German and Bulgarian authorities have seized 1,406 websites that were used for perpetrating large-scale financial scams. The sites, taken offline at the start of the month, lured users to invest in cryptocurrency on fraudulent trading platforms and then disappeared with their funds. Officials said the platforms did not have the necessary permission from BaFin to provide financial or securities services and banking transactions. They also said more than 866,000 attempts to access the sites were recorded over a period of ten days after they were seized on October 3, 2025, underscoring the attackers’ success in pulling off the scheme. In mid-June 2025, around 800 illegal domains were blocked as part of a similar effort.

NVIDIA has rolled out fixes for two vulnerabilities in NVIDIA’s Display Driver for Linux (CVE-2025-23280 and CVE-2025-23330) that can be triggered by an attacker controlling a local unprivileged process to achieve kernel read and write primitives. Quarkslab, which discovered and reported the flaws in June 2025, has released a complete proof-of-concept exploit.

Cyble and iVerify have detailed two new Android malware families called GhostBat RAT and HyperRat that can steal sensitive data from compromised devices. “Operators can fetch logs, send notifications, dispatch an SMS from the infected user’s SIM, download archived messages, inspect the call log, view or modify granted permissions, browse installed applications, and even establish a VNC session,” iVerify security researcher Daniel Kelley said about HyperRat. The web-based command-and-control (C2) panel supports the ability to create custom APK files using a builder, serve fake login overlays atop installed apps, and an option to facilitate downstream spam or phishing campaigns via a mass messaging button. GhostBat RAT, on the other hand, has been observed targeting Indian Android users via bogus apps distributed via WhatsApp and SMS messages containing links to compromised websites and GitHub. Once installed, the malware uses phishing pages to capture banking credentials and UPI PINs. It can also exfiltrate SMS messages containing banking-related keywords, with select variants including cryptocurrency mining capabilities. “The GhostBat RAT samples included multi-stage dropper workflows, native binary packing, deliberate corruption/manipulation of ZIP headers, runtime anti-emulation checks, and heavy string obfuscation, complicating reverse engineering,” Cyble noted.

Brazilian law enforcement authorities have disrupted a sophisticated criminal network that has been accused of laundering about $540 million. The sweeping operation, codenamed Lusocoin, saw 13 searches and 11 temporary arrests, as well as the seizure of six luxury vehicles and six high-value properties. Assets totaling more than 3 billion Brazilian reais (about $540 million) have been subjected to court-ordered freezes. Officials said the network operated as an international money-laundering and foreign-exchange evasion scheme, converting illicit profits from drug trafficking, smuggling, tax evasion, and even terrorism financing into cryptocurrency assets to hide the source of funds. In all, the group is believed to have moved more than $9 billion through its ecosystem of shell companies, exchanges, and digital wallets.

New research has found that it’s possible to leverage Amazon’s distributed application tracing service AWS X-Ray as a covert C2 server, essentially turning cloud monitoring infrastructure to establish bidirectional communication. “AWS X-Ray was designed to help developers understand application performance by collecting traces,” security researcher Dhiraj Mishra said. “However, X-Ray annotations can store arbitrary key-value data, and the service provides APIs to both write and query this data.” An attacker can weaponize this behavior to implant a beacon on the target system and subsequently control it by issuing an HTTP PUT request containing a Base64 command to the X-Ray service’s “/TraceSegments” endpoint, from where the victim machine fetches the malicious trace during the polling phase and then decodes and executes the embedded command within it. The results of the command execution are exfiltrated to the X-Ray service, allowing the attacker to access the result traces by sending an HTTP GET request to the “/TraceSummaries” endpoint.

Seven security vulnerabilities (from CVE-2025-54246 through CVE-2025-54252) have been disclosed in Adobe Experience Manager that could result in security feature bypass and allow attackers to gain unauthorized read/write access. The issues, which were reported by Searchlight Cyber’s Assetnote team in June 2025, were fixed by Adobe last month. There is no evidence that they were exploited in the wild.

Google has reached a settlement agreement over its use of an open-source dataset named Diversity in Faces that allegedly contained images of people from the U.S. state of Illinois for training its facial recognition algorithms in violation of the Biometric Information Privacy Act (BIPA). The dataset was created in 2019 by IBM to address existing biases in overwhelmingly light-skinned and male-dominated facial datasets. According to plaintiffs, some of the images were pulled from a Flickr dataset that featured biometric data of people from Illinois. The terms of the settlement were not disclosed. The case was originally filed in 2020, with lawsuits also filed against Amazon and Microsoft for similar violations.

A new report from Chainalysis has revealed that cryptocurrency balances linked to illicit activity exceed $75 billion. This includes about $15 billion held directly by illicit entities and more than $60 billion in wallets with downstream exposure to those entities. “Darknet market administrators and vendors alone control over $40 billion in on-chain value,” the blockchain intelligence firm said. Earlier this year, Chainalysis disclosed that more than $40 billion in cryptocurrency was laundered in 2024 alone, most of it through wallets and mixers that leave no trace in standard compliance systems.