Vercara’s Open-Source Intelligence (OSINT) Report – April 11 – April 17, 2025

SpyNote, BadBazaar, MOONSHINE Malware Target Android and iOS Users via Fake Apps 

(TLP: CLEAR) The Hacker News article from April 11, 2025, discusses the resurgence of three Android malware families—SpyNote, BadBazaar, and Moonshine—delivered through deceptive websites masquerading as legitimate app stores. These campaigns primarily target Uyghur, Tibetan, and Taiwanese communities, as well as journalists, NGOs, and civil society members advocating for these groups.​ SpyNote, also known as SpyMax, is a remote access trojan (RAT) that exploits Android’s Accessibility Services to gain extensive control over compromised devices. BadBazaar is an Android spyware tool linked to Chinese cyberspies, specifically targeting ethnic and religious minorities in China, most notably the Uyghurs in Xinjiang. The spyware has used at least 111 different apps since 2018 to infect Uyghurs, promoting them on communication channels populated by the particular ethnic group. The impersonated apps cover a wide range of categories, from dictionaries to religious practice companions and from battery optimizers to video players. Only a few of the BadBazaar apps promoted to Uyghurs have been found on Google Play, indicating they are likely distributed via third-party stores or malicious websites.​ Moonshine is a modular spyware tool that has been used in campaigns against Tibetan groups. The newer variants, observed since July 2022, have added more modules to extend the tool’s surveillance capabilities. The data Moonshine steals from compromised devices include network activity, IP address, hardware info, and more. 

(TLP: CLEAR) Comments: These malware families—SpyNote, BadBazaar, and Moonshine—represent a significant threat to targeted communities and individuals. Their capabilities to exfiltrate sensitive data and maintain persistent control over infected devices underscore the importance of vigilance and robust cybersecurity measures. Users should avoid downloading apps from untrusted sources, be cautious of unsolicited links, and employ comprehensive security solutions to protect against such threats. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following: 

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy. 
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them. 

Source: https://thehackernews.com/2025/04/spynote-badbazaar-moonshine-malware.html  

Phishing Campaigns Use Real-Time Checks to Validate Victim Emails Before Credential Theft 

(TLP: CLEAR) ​A recent report by Cofense highlights an emerging phishing technique termed “precision-validating phishing,” which enhances the effectiveness of credential theft campaigns by incorporating real-time email validation. This method distinguishes itself from traditional bulk phishing by targeting only verified, high-value email accounts, thereby increasing the likelihood of successful exploitation. 

(TLP: CLEAR) Comments: In precision-validating phishing, attackers utilize API- or JavaScript-based services to validate email addresses entered on phishing landing pages. If the entered email matches a pre-compiled list of active, high-value accounts, the victim is presented with a counterfeit login interface. Conversely, if the email is not recognized, the phishing page either displays an error message or redirects the user to a benign site, such as Wikipedia. This approach minimizes detection by evading automated security tools and sandbox environments, which often cannot bypass the validation filter.​ 

The integration of real-time email validation serves multiple purposes:​ 

Enhanced Targeting: By confirming the validity of email addresses before presenting phishing content, attackers ensure that their efforts are directed towards active and potentially valuable accounts.​ 

Improved Data Quality: Harvested credentials are more likely to be associated with legitimate accounts, increasing their value for resale or further exploitation.​ 

Extended Campaign Longevity: The selective engagement with verified accounts reduces the risk of detection and prolongs the operational lifespan of phishing campaigns. 

(TLP: CLEAR) Recommended best practices/regulations:  

NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses: 

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://thehackernews.com/2025/04/phishing-campaigns-use-real-time-checks.html   

Malicious PyPI Package Targets MEXC Trading API to Steal Credentials and Redirect Orders 

(TLP: CLEAR) ​A recent cybersecurity disclosure reveals that a malicious Python package, ccxt-mexc-futures, was uploaded to the Python Package Index (PyPI) repository. This package masqueraded as an extension to the legitimate ccxt library, which is widely used for cryptocurrency exchange integrations. The malicious package has since been removed from PyPI but was downloaded at least 1,065 times before its removal. 

(TLP: CLEAR) Comments: The ccxt-mexc-futures package specifically targeted the MEXC cryptocurrency exchange by overriding critical API functions within the ccxt library. It modified the following functions:​ describe, sign, prepare_request_headers 

Additionally, it introduced a new function:​ 

spot4_private_post_order_place 

These modifications enabled the package to intercept and redirect trading orders intended for MEXC to a malicious server. The package achieved this by embedding a configuration that directed API requests to the attacker-controlled domain greentreeone.com, instead of the legitimate MEXC domain. This redirection allowed the attackers to hijack the victim’s cryptocurrency orders and potentially steal funds.​ 

Furthermore, the package was designed to exfiltrate sensitive information, including MEXC API keys and secret keys, to the malicious server whenever a trading request was made. This data theft posed a significant risk to users’ cryptocurrency assets and credentials. 

(TLP: CLEAR) Recommended best practices/regulations:  

OWASP API Top 10, API9:2023 “Improper Inventory Management”:  

• Inventory all API hosts and document important aspects of each one of them, focusing on the API environment (e.g. production, staging, test, development), who should have network access to the host (e.g. public, internal, partners) and the API version.
• Inventory integrated services and document important aspects such as their role in the system, what data is exchanged (data flow), and their sensitivity.
• Document all aspects of your API such as authentication, errors, redirects, rate limiting, cross-origin resource sharing (CORS) policy, and endpoints, including their parameters, requests, and responses.
• Generate documentation automatically by adopting open standards. Include the documentation build in your CI/CD pipeline.
• Make API documentation available only to those authorized to use the API.
• Use external protection measures such as API security specific solutions for all exposed versions of your APIs, not just for the current production version.
• Avoid using production data with non-production API deployments. If this is unavoidable, these endpoints should get the same security treatment as the production ones.
• When newer versions of APIs include security improvements, perform a risk analysis to inform the mitigation actions required for the older versions. For example, whether it is possible to backport the improvements without breaking API compatibility or if you need to take the older version out quickly and force all clients to move to the latest version. 

(TLP: CLEAR) Vercara: Vercara UltraAPI offers a comprehensive solution to the complex challenges security teams face in safeguarding API applications against cyber threats. It provides thorough discovery of the entire API landscape, including external and internal APIs, assesses API risk posture to highlight critical vulnerabilities needing remediation, and delivers real-time protection to prevent API attacks, ensuring data safety, preventing fraud, and avoiding business disruptions. This solution stands out by addressing every phase of the API security lifecycle, promoting best practices in security and governance to eliminate risks effectively. 

Source: https://thehackernews.com/2025/04/malicious-pypi-package-targets-mexc.html  

Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool 

(TLP: CLEAR) The China-linked threat actor UNC5174 has initiated a new cyber espionage campaign targeting Linux systems. This campaign utilizes a variant of the SNOWLIGHT malware, along with a new open-source tool named VShell, to compromise systems and establish persistent access.​ 

(TLP: CLEAR) Comments: In this campaign, SNOWLIGHT serves as a dropper that deploys VShell, a remote access trojan (RAT), onto the compromised Linux systems. The initial infection vector remains unidentified, but the attack chain involves executing a malicious bash script (“download_backd.sh”) that deploys SNOWLIGHT binaries (dnsloger) and Sliver (system_worker). These components facilitate persistence and communication with a command-and-control (C2) server. VShell operates as a fileless RAT, enabling attackers to execute arbitrary commands and transfer files. It employs WebSockets for C2 communication, enhancing its stealth and making detection more challenging. Notably, both SNOWLIGHT and VShell are capable of targeting Apple macOS systems, broadening the scope of potential victims.​ 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in real-time and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections. 

Source: https://thehackernews.com/2025/04/chinese-hackers-target-linux-systems.html