Introduction

The weekly Cybersecurity Bulletin report is prepared by the ECHO team to summarize and inform about cybersecurity incidents that have occurred in recent weeks.

---

Executive Summary

This bulletin:

• Up-to-date information on cyber threats such as attacks, data leaks, malware, ransomware and critical vulnerabilities is provided.
• Our security team analyzes these threats and prepares the weekly bulletin to minimize potential risks.
• Security news

---

Ransomware Malware of the Week: Babuk2 and Bjorka: The Evolution of Ransomware into Data Commercialization

Description

It has been detected that the Babuk ransomware group has become active again and has undergone a significant evolution in its attack methods. Deviating from traditional ransomware techniques and focusing on direct commercialization of data, the new variant Babuk2 is actively used by the threat actor Bjorka. This approach aims to go beyond the income obtained from ransom payments and also to make money through the sale of stolen data.

Details of the Malware

• Malware Name: Babuk2
• Date of Detection: April 2025
• Attack Actor: Bjorka
• Targets: Organizations operating in critical sectors
• Derivation: Advanced version of the original Babuk ransomware

Traditional Ransomware Methods

Previous versions of Babuk followed the following steps:

1. System Infiltration: Unauthorized access to target systems is provided.
2. Data Encryption: Accessed data is encrypted and the operation of the systems is prevented.
3. Ransom Demand: The victim is asked for a ransom to decrypt the password.

The Threat Evolving with Babuk2: Data Commercialization

The most striking feature of Babuk2 is that instead of directly encrypting data, it has adopted a model based on theft of data and selling it on the dark web. This approach causes the attack to be detected later and carries out data breaches without interrupting the operation of the systems.

• Use of Encryption: Some variants still use advanced encryption, while others completely abandon encryption and focus only on exfiltrating data.
• Data Sale: In addition to the ransom demand, the obtained sensitive information is offered to buyers in the criminal market, creating a second source of income.

Bjorka: New Generation Threat Actor

The threat actor named Bjorka stands out in Babuk2 attacks. Researchers report that Bjorka uses similar methods to Babuk, but is more aggressive in selling stolen data. This is seen as a sign of a new era in the ransomware ecosystem.

Technical Details

• Encryption: Babuk2 uses strong encryption algorithms such as AES, and demands a ransom for the decryption of encrypted data.
• Data Exfiltration: The obtained files are offered for sale on dark web platforms or leaked to the public for further pressure.
• Fileless Methods: In-memory execution and fileless attack techniques are used to bypass security software.
• Persistent Access: Backdoors are placed in the system to ensure persistence and new user accounts are created.

Another Ransomware of the Week: Attack That Started with Zoom Installation and Ended with BlackSuit Ransomware

##v Description,

A cyberattack that started in May 2024 via a fake Zoom installer and ended with the distribution of BlackSuit ransomware nine days later was detected. The attackers gained access to the system by downloading a malicious installer via a website that mimicked the real Zoom application.

---

Details of the Malware

• Malware Name: BlackSuit Ransomware
• Type: Ransomware
• Targets: Windows systems
• Detection Date: May 2024

---

Technical Details

Impact of the Malware

After infiltrating the systems with the fake Zoom installer, the attackers installed a RAT (Remote Access Trojan) called SectopRAT. After 9 days, lateral movement was achieved within the network by running attack tools such as Cobalt Strike and Brute Ratel. In the final stage, BlackSuit ransomware was distributed to all systems.

---

MITRE ATT&CK Techniques

• T1566.001: Spearfishing Plugins
• T1204.002: Malicious Application
• T1059.003: Windows Command Line
• T1574.002: DLL Sideloading
• T1027: Code Obfuscation
• T1083: File and Directory Discovery
• T1562.001: Security Software Disabling
• T1486: Data Encryption

---

Attack Chain

1. Initial Access: Victim downloads and runs fake Zoom installer.
2. Loader: d3f@ckloader and IDAT loader are used to run SectopRAT.
3. Injection: Malicious software is injected into the MSBuild.exe process.m is injected.
4. Command and Control: Additional tools (Cobalt Strike, Brute Ratel) are downloaded by connecting to the attacker server.
5. Lateral Movement: Spreading to systems within the network is achieved.
6. Data Exfiltration: Files collected with WinRAR are uploaded to the Bublup cloud service.
7. Ransomware: PsExec and BlackSuit are run on all systems.

Malware of the Week: Crocodilus: New Android Trojan That Abuses Accessibility Services

Description

Crocodilus is a new mobile threat classified as an Android banking trojan, specifically targeting users in Turkey and Spain. It steals sensitive information from banking and cryptocurrency applications by abusing accessibility services on devices.

This malware steals user credentials and seed phrases that provide access to cryptocurrency wallets by abusing accessibility services.

---

Malware Details

Domain	Information
Malware Name	Crocodilus
Variant	Android Banking Trojan
Target Regions	Spain, Turkey
First Detection	March 29, 2025
Target Applications	Banking and cryptocurrency wallet applications

---

Technical Details

Malware Impact

Crocodilus monitors user interaction and collects sensitive information by abusing device accessibility services. It can also take control of the device and perform operations without the user being aware of it.

• Monitor user interaction
• Steal banking and crypto information
• Take control of the device

---

Malicious Features

• Fake App Impersonation:

It hides with package names that mimic applications such as Google Chrome.

• Exploit Accessibility Services: It can read on-screen content, track user movements.
• Remote Command Execution: Attackers can remotely perform operations on the device (e.g. open an application, log in).
• Black Screen Overlay: It covers the screen with a black layer and mutes the sound to hide its activity.

Additionally, other key features of Crocodilus include:

• Launch a specific app
• Remove itself from the device
• Send push notifications
• Send SMS to all/selected contacts
• Retrieve contact lists
• Retrieve list of installed apps
• Retrieve SMS messages
• Request Device Administrator privileges
• Enable black screen overlay
• Update command and control server settings
• Enable/disable sounds
• Enable/disable keylogger
• Make itself the default SMS administrator

Another Malware of the Week: Evilginx: Multi-Factor Authentication (MFA) Bypassing Threat

Description

Evilginx is a malware tool based on the open-source NGINX web server that allows attackers to steal user credentials and session tokens. This tool performs Adversary-in-the-Middle (AitM) attacks, specifically targeting the authentication processes of services such as Microsoft Office 365 and can bypass multi-factor authentication (MFA) mechanisms. 

---

Malware Details and MITRE ATT&CK Relationship

Technical Code	Description
T1557	Man-in-the-Middle
T1110	Brute Force (password guessing attacks)
T1539	Credential Collection

Evilginx creates an exact copy of real sites and redirects users to fake login pages.

Evilginx is a framework designed for AitM attacks, allowing attackers to create fake versions of real websites and steal users’ credentials and session cookies. This way, attackers can bypass MFA protection and gain unauthorized access.

---

Technical Details

Attack Method

Adversary-in-the-Middle (AitM) Attacks: Evilginx redirects users to fake login pages by proxying web traffic through malicious domains that mimic real sites. Users’ credentials and session cookies are collected on these pages.  Credential and Session Cookie Theft: Attackers can bypass MFA protection and access users’ accounts thanks to the collected session cookies. 

Accounts Mostly Targeted by the Malware

• Corporate accounts (Microsoft 365, Google Workspace, etc.)
• VPN logins
• Email systems

---

Impact of the MalwareUsing Evilginx could allow attackers to gain unauthorized access to MFA-protected accounts and compromise users’ sensitive data. This poses a serious threat to the security of corporate networks and individual users.

---

Malicious Functions and Coding Structure

• Evilginx uses NGINX’s reverse proxy feature.
• Users are unknowingly redirected to a proxyed fake site.
• In addition to their login credentials, session tokens are also stolen.
• Cookie reuse is used to bypass MFA.

Phishing Campaign of the Week: Lucid: Next-Generation Phishing Platform Targeting iOS and Android Devices

Description

Lucid is a sophisticated phishing platform operated by the China-based XinXin group that operates on the Phishing-as-a-Service (PhaaS) model. The platform, which has been active since mid-2023, has targeted 169 institutions in 88 countries and specifically targets iOS and Android users.

---

Malware Details

• Name: Lucid
• Type: Phishing-as-a-Service (PhaaS)
• Targets: iOS and Android users
• Detection Date: Mid-2023
• Operator: XinXin group

---

MITRE ATT&CK Techniques

• T1566.001: Spearfishing Attachments
• T1204.002: Malicious File
• T1071.001: Application Layer Protocols – Web

---

Technical Details

Attack Methods

Lucid is offered as a subscription-based service, providing its customers with over 1,000 phishing domains, automatically generated customized phishing sites, and professional-grade spamming tools. The attacks are aimed at bypassing traditional SMS spam filters, particularly by using Apple’s iMessage and Android’s Rich Communication Services (RCS) technologies.

Lucid bypasses traditional SMS filters by using Apple’s iMessage and Android’s Rich Communication Services (RCS) protocols. This allows attackers to send approximately 100,000 phishing messages per day.

Functions

• Automatic Phishing Distribution: Customizable fake sites are created and spread via SMS.
• Advanced Spam Tools: Professional spam tools ensure that messages are delivered to their targets effectively.
• Use of Encrypted Messaging: iMessage and RCS’ end-to-end encryption makes attacks harder to detect.
• Subscription-Based Service: Users are provided with 1,000+ domains and attack templates.

Another Phishing Campaign of the Week: Advanced Phishing Tactics Using QR Codes (Quishing)

Description

With the widespread use of QR codes in cyber attacks in recent years, a new generation phishing attack method called “quishing” has emerged. This attack method aims to capture sensitive data (e.g. Microsoft credentials, bank accounts, corporate login information) by directing users to fake websites via QR codes.

Attackers; While bypassing security with fake emails, documents and legitimate-looking redirection mechanisms, they also increase credibility by exploiting verification services such as Cloudflare Turnstile.

---

Attack Methods

• ** QR Code Distribution with Fake Emails and Documents** Attackers send emails that imitate services such as DocuSign or Adobe Acrobat Sign and ask recipients to scan a QR code.
• ** URL Cloaking and Redirection Mechanisms** QR codes often go to legitimate-looking redirection services like doubleclick.net and then redirect to fake login pages.
• ** Using Cloudflare Turnstile** The Turnstile interface, which looks like a real verification process, bypasses security checks and redirects the victim to the fake form.

---

Technical Details

How Quishing Works

1. ** Sending Fake Documents and Emails**

• The user is sent a PDF or email containing a QR code under the pretext of “urgent action”, “tax update” or “document signing”.

2. ** Scanning the QR Code**

• When the user scans the QR code with their phone, they are redirected to a phishing site via a seemingly legitimate site (e.g. google.com/url?).

3. ** Fake Login Page**

• Browser security is bypassed and the user is asked for credentials through verification mechanisms such as Cloudflare Turnstile.

Targeted Regions and Sectors

• Common in the US and Europe
• Industries such as medical, automotive, energy, education and finance are particularly targeted

---

MITRE ATT&CK Techniques

• T1566.001: Spearfishing Attachments
• T1204.002: Malicious File
• T1071.001: Application Layer Protocol: Web
• T1556.002: OTP Token Phishing
• T1027: Obfuscated Files or Information

Featured Vulnerabilities of the Week

Critical Zero-Day Vulnerability (CVE-2025-22457) in Ivanti Connect Secure Product

Description

Ivanti, Connect Secure product familyhas released a security update for a critical zero-day vulnerability identified in and actively exploited by the China-linked UNC5221 threat actor. The vulnerability, identified as CVE-2025-22457, is a stack-based buffer overflow vulnerability that allows remote code execution (RCE). The vulnerability has been used in targeted attacks since mid-March 2025.

Vulnerability Details

• CVE Number: CVE-2025-22457
• Vulnerability Type: Stack-based buffer overflow
• Difficulty Level: High complexity, does not require authentication
• CVSS Score: Not yet disclosed, but classified as critical
• Initial Assessment: Initially thought not to be RCE, however, remote code execution has been proven possible with advanced techniques.

Affected Products and Versions

• Ivanti Connect Secure 22.7R2.5 and earlier
• Ivanti Policy Secure 22.7R1.3 and earlier
• Pulse Connect Secure 9.1x (end of support)
• Neurons for ZTA Gateways 22.8R2 and earlier

Technical Details and Exploitation Chain

The vulnerability can only be triggered with numbers and dots. Despite this limited character set, it is possible to remotely execute malicious code by creating a buffer overflow.

Mandiant and Google TAG have identified some of the malware components used in the attacks as follows:

• TRAILBLAZE: A dropper that runs only in memory
• BRUSHFIRE: A passive, persistent backdoor
• SPAWN: A malware family previously used by UNC5221

UNC5221 has previously conducted complex multi-stage attacks (e.g., the MITRE attack) by chaining vulnerabilities on Ivanti and NetScaler appliances.

Impact of the Vulnerability

This vulnerability allows attackers to:

• Remotely execute code on target systems
• Gain persistent access by hijacking VPN and gateway devices
• Infiltrate corporate networks and bypass other systems

Security Updates and Timeline

• Connect Secure Update: Closed February 11, 2025, with version 22.7R2.6
• Policy Secure Patch: April 19, 2025
• Neurons for ZTA Patch: April 21, 2025

“ImageRunner” Vulnerability in Google Cloud Run Service: Privilege Escalation Risk

Overview

Google Cloud Run is a service used to run containerized applications on Google Cloud Platform (GCP). Discovered by Tenable researcher Liv Matan, a vulnerability called ImageRunner allowed attackers with low-level credentials to escalate privileges.

This vulnerability is related to identities with revision editing permissions in Cloud Run services but without registry access being able to pull private container images. Google patched this vulnerability with an update released on January 28, 2025. Details of the vulnerability were shared with the public on April 1, 2025.

---

Technical Details of the Vulnerability

Description of the Vulnerability

The root cause of the vulnerability is that the Cloud Run service only allows identities with revision editing permissions to access private images without having access to the Artifact Registry or Container Registry.

Impact

Attackers:

• Can access sensitive data,
• Can inject malicious code into custom images,
• Can establish persistence in the system.

Attack Scenario

1. Initial Access: Attacker gains access to Cloud Run service through social engineering or leaked credentials.
2. Exploitation: Using revision update privilege, deploys a new revision with a custom container image.
3. Result: Even without registry access, custom image content is accessed and the system is exploited.

---

Google’s Intervention

On January 28, 2025, Google has now made it mandatory to require explicit permission for custom image access to Cloud Run resources. This means that only identities with the necessary access permissions can use custom container images.

Critical Remote Code Execution (RCE) Vulnerability in Apache Parquet: CVE-2025-30065

Description

CVE-2025-30065, which was exposed on April 3, 2025, is a critical remote code execution (RCE) vulnerability affecting Apache Parquet versions 1.15.0 and all earlier versions. The vulnerability is caused by a deserialization error that occurs during the processing of untrusted Parquet files. This vulnerability allows arbitrary code to be executed on a target system via specially crafted Parquet files.

CVE Information

• CVE ID: CVE-2025-30065
• Vulnerability Type: Remote Code Execution (RCE)
• Versions Affected: Apache Parquet 1.15.0 and earlier
• CVSS Score: 10.0 (Critical)
• Fix Version: 1.15.1
• Discovered by: Keyi Li (Amazon)

Technical Details

• The vulnerability is located in the parquet-avro module.
• During schema parsing, Avro schema parser deserializes the data in the array without validation.

For example:

new Schema.Parser().parse(maliciousSchema); // unsafe deserialization

• Parquet file containing a malicious Java class reference can be automatically executed in the JVM.

Impact and Risks

• Directly affects big data platforms: Apache Hadoop, AWS, Google Cloud, Azure data lakes and ETL systems.
• File-based triggering: RCE can be triggered during processing of Parquet files from external sources.
• Possible consequences:
• Unauthorized system access
• Data exfiltration and modification
• Risk of ransomware infection
• Service interruption

What’s Happening in the Hacker Forum World

SendGrid (Twilio) DATABASE LEAK – Database, Leaked!

• Date: April 3, 2025
• Threat Actor: Veracity
• Forum: BreachForums
• Share:

In April 2025, it was announced that a data breach occurred in the SendGrid (Twilio) database, one of the world’s leading cloud-based email infrastructure providers. In the leak; it is claimed that critical data used by businesses for email delivery management was seized by attackers and offered for sale.

Breach Details:

• Data Types: Email, Phone Number, Address, City, State, Country, Social Media, LinkedIn ID, etc.
• Years: 2017 – 2022
• Total Number of Records: Over 8 million
• Payment Methods: Bitcoin, Monero

According to the information shared by the attackers, the compromised data has been verified and is being offered for sale on various darknet platforms for a certain fee. Businesses and users are advised to review their passwords and security measures in case they have been affected by this data breach.

German Doner Kebab (GDK) – CUSTOMER DATABASE LEAK – Database, Leaked!

• Date: March 21, 2025
• Threat Actor: outcabeast
• Forum: BreachForums
• Share:

In March 2025, it was announced that a data breach occurred in the customer database of the popular fast casual kebab chain **German Doner Kebab (GDK). In the leak; it is claimed that personal information belonging to customers was seized by the attackers and offered for sale.

Breach Details:

• Data Types: Customer Date of Birth, Email Address, Phone Number, Address, Zip Code, Marketing Permissions, etc.
• Year: 2023
• Total Number of Records: It is estimated that thousands of records were accessed

According to the information shared by the attackers, the compromised data has been verified and is being offered for sale on various dark web platforms for a fee. Customers are advised to review their passwords and security measures in case they have been affected by this data breach.

Oracle Cloud Traditional (login.XQ.oraclecloud.com) Hacked – Database, Leaked!

• Date: March 27, 2025
• Threat Actor: woe987168
• Forum: BreachForums
• Share:

In March 2025, it was announced that a data breach occurred on the servers of the popular cloud service provider Oracle Cloud Traditional (login.XQ.oraclecloud.com). Attackers claim to have seized databases containing employee and customer information belonging to different companies and offered this data for sale on the dark web. Additionally, some of the leaked data has been shared on the forum as “sample records”.

Breach Details:

• Data Types: LDAP Information, Employee Personal Data, Customer Records, Form/JPS Files, etc.
• Year: 2025 (fresh sample data)
• Total Number of Records: Claimed to be over 200 million
• Payment Methods: BTC, XMR

The threat actor claims that the compromised data includes employee information from various companies and that these companies will have to pay a certain “fee” to have their data removed. This suggests that companies and users affected by the leak should review their personal/corporate security measures.