Vercara’s Open-Source Intelligence (OSINT) Report – June 6 – June 12, 2025

BADBOX 2.0 Infected Over 1 Million Android Devices Worldwide

(TLP: CLEAR) The emergence of BADBOX 2.0 marks a significant escalation in mobile cybersecurity threats, with over one million Android devices compromised across multiple countries. This advanced persistent threat leverages multiple attack vectors, including supply chain infiltration, compromised applications, and direct firmware modifications, making it a sophisticated malware campaign. Unlike conventional Android malware, BADBOX 2.0 integrates machine learning algorithms to dynamically adapt its behavior based on device usage patterns and security software presence. The malware primarily targets financial applications, cryptocurrency wallets, and enterprise messaging platforms, leading to substantial financial and privacy losses. Estimates indicate global damages exceeding $180 million, with affected users experiencing unauthorized financial transactions and intellectual property theft. The malware exhibits a high degree of persistence, surviving factory resets and system updates by exploiting vulnerabilities in Android’s bootloader verification process. Once embedded, BADBOX 2.0 masquerades as legitimate system components, modifying critical partitions and injecting malicious code into essential Android services. Detection and mitigation efforts are complicated by the malware’s ability to maintain encrypted communication channels with command-and-control servers across multiple jurisdictions. Additionally, its watchdog system actively monitors security software installations, temporarily disabling its activities to evade detection. Given its widespread impact and advanced evasion techniques, BADBOX 2.0 represents a critical challenge for cybersecurity professionals, necessitating enhanced threat intelligence, robust endpoint security measures, and coordinated international response efforts.

(TLP: CLEAR) Comments: The BADBOX 2.0 Malware is important due to its unforeseen scale. It utilizes advanced persistence mechanisms and is posing as another critical threat to IoT devices. With the large quantities of infected devices, this equips this botnet with dangerous capabilities such as larger attack operations like DDoS. BADBOX2.0 Malware enables the Threat Actor with a wide array of intelligence. Depending on the type of IoT device, the threat actor responsible for BADBOX 2.0 potentially possesses Network Intelligence, Behavioral and Usage Tntelligence, Credential and Account intelligence, Physical Intelligence, and potentially Supply Chain Intel. Users should consider bolstering their IoT devices within their networks and seek a form of malware protection.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION Control:

• Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.
• Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.
• Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection.
• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.
Source: https://cybersecuritynews.com/badbox-2-0-infected-over-1-million-android-devices/

AI Bots Reshaping Web Traffic: Security Implications and Industry Shifts

(TLP: CLEAR) AI-powered bots are fundamentally transforming web traffic patterns and creating unprecedented cybersecurity challenges that threaten both the economic foundation of the internet and traditional security models. Traditional search traffic has declined 40% as users migrate to AI chatbots, while malicious bots now comprise 37% of internet traffic, with AI-powered variants successfully evading CAPTCHAs 92% of the time through sophisticated techniques including credential stuffing, real-time attack adaptation, and context-aware phishing campaigns using scraped social media data. The web’s ad-supported revenue model faces collapse as AI scrapers bypass monetized content, prompting publishers to implement stricter paywalls and pursue legal action against scraping services like Bright Data, potentially fragmenting the open web into closed ecosystems. Security teams confront novel attack vectors created by AI integration into browsing experiences, including AI-powered session hijacking, training data poisoning, and adversarial prompt injection, with recent incidents highlighting the risks through cases like lawyers sanctioned for citing AI-generated fake legal cases and MIT research revealing 15% of AI-generated URLs are fabricated. The convergence of AI with technologies like VR introduces additional privacy concerns, while the emergence of AI-first interfaces threatens to bypass conventional web security controls entirely. Organizations must urgently implement AI-specific WAF rules, monitor for data leakage through AI training datasets, and develop verification protocols for AI-generated intelligence to address this rapidly evolving threat landscape that renders traditional security models potentially obsolete.

(TLP: CLEAR) Comments: The rapid advancement of AI is accelerating a change in internet traffic patterns. Users are switching from traditional web searching to searching with AI chatbots. As AI continues to develop at an unprecedented pace, we’re witnessing a major shift in the composition of web traffic. While much of the internet was traditionally driven by human interaction, a growing portion is now generated by bots with many of them AI-powered. This shift has significant implications for security and digital trust, demanding new strategies to distinguish between human and machine behavior online. Moving forward, Bot Management and countermeasures to mitigate bad bots will be an imperative measure that should be prioritized across the broader security community.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “The HTTP protocol used in web servers has been exploited by attackers in many ways, such as to place malicious software on the computer of someone browsing the web, or to fool a person into revealing private information that they might not have otherwise. Many of these exploits can be detected by specialized application firewalls called web application firewalls that reside in front of the web server.

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes several tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.
Source: https://redteamnews.com/threat-intelligence/ai-bots-reshaping-web-traffic-security-implications-and-industry-shifts/

Malicious Browser Extensions Infect Over 700 Users Across Latin America Since Early 2025

(TLP: CLEAR) Operation Phantom Enigma, a cybersecurity campaign discovered in 2025 that primarily targets users to steal banking credentials through malicious browser extensions. The campaign has infected users across multiple countries (Brazil, Colombia, Czech Republic, Mexico, Russia, Vietnam) with 722 downloads and 70 victim companies identified. The multi-stage attack begins with phishing emails containing malicious attachments or links. When opened, a batch script downloads a PowerShell script that checks for virtualized environments and specifically looks for Diebold Warsaw (a Brazilian banking security plugin). The script disables security controls, establishes persistence, and connects to command servers. Attackers deploy extensions for Chrome, Edge, and Brave browsers that specifically target users. When victims visit their company’s website, the extension steals authentication tokens and can display fake loading screens or malicious QR codes. The extensions have since been removed from the Chrome Web Store. the attackers left traces including “EnigmaCyberSecurity” identifiers and German command words that may indicate their origins or use of repurposed code.

(TLP: CLEAR) Comments: Operation Phantom Enigma recently emerged this year targeting the financial sector. Weaponizing malicious browser extensions to harvest credentials and information which will be delivered through Phishing emails. The methods Phantom Enigma is using seeks persistence and aims to persist and remain undetected by disabling security controls. This type of attack highlights the removal of these extensions from online. Furthermore, this attack underscores the importance of Phishing awareness and browser security.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.
Source: https://thehackernews.com/2025/06/malicious-browser-extensions-infect-722.html

Kettering Health Confirms Attack by Interlock Ransomware Group as Health Record System is Restored

(TLP: CLEAR) Kettering Health, one of Ohio’s largest healthcare systems, confirmed that the Interlock ransomware group was responsible for the systemwide outages affecting its medical centers and clinics since May 20, 2025. The attack disrupted electronic health records (EHR), phone lines, and internal systems, forcing the cancellation of elective procedures and ambulance diversions. The Interlock ransomware gang claimed responsibility, alleging they exfiltrated financial records and other sensitive data, though Kettering Health has not disclosed whether it plans to pay the ransom. In response, the organization conducted a thorough security review, implemented network segmentation, enhanced monitoring, and updated access controls, and worked with external cybersecurity experts to restore its EHR system. Over 200 personnel contributed to recovery efforts, though inbound and outbound communications remain partially affected. The Interlock group has previously targeted DaVita, Texas Tech University Health Sciences Center, and its El Paso counterpart, demonstrating a pattern of disrupting critical healthcare infrastructure. This attack is part of a broader wave of cyber incidents targeting healthcare, with multiple hospitals across New England and Central Maine Healthcare also experiencing outages due to cyberattacks

(TLP: CLEAR) Comments: The significance of this attack highlights the continuous threat of ransomware. Interlock Ransom Group has rapidly evolved into a high-impact cyber threat, targeting healthcare, government, and defense sectors. Critical infrastructure like healthcare requires strong cybersecurity measures, as ransomware can disrupt essential services, compromise sensitive data, and endanger patient care. While the organization has implemented network segmentation and enhanced monitoring, the broader healthcare industry must adopt proactive security strategies to mitigate future attacks

(TLP: CLEAR) Recommended best practices/regulations: Department of Health and Human Services Fact Sheet: Ransomware and The Health Information Portability and Accountability Act (HIPAA): “The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Some of these required security measures include:

• Implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks.
• Implementing procedures to guard against and detect malicious software.
• Training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections.
• Implementing access controls to limit access to ePHI to only those persons or software programs requiring access.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Source: https://therecord.media/kettering-health-ohio-interlock-ransomware

APT41 Hackers Using Google Calendar for Malware Command-and-Control To Attack Government Entities

(TLP: CLEAR) Chinese state-sponsored threat actor APT41 has developed a novel command-and-control (C2) technique using Google Calendar events to evade detection, targeting Taiwanese government entities through Spearphishing and cloud-based malware delivery. The attack begins with ZIP archives disguised as export customs documents, containing a shortcut LNK file and encrypted malware hidden in images. When executed, the malware suite—PLUSDROP, PLUSINJECT, and TOUGHPROGRESS—leverages memory-resident execution, process hollowing, and cloud-based C2 to maintain persistence. APT41’s innovation lies in its abuse of Google Calendar events, embedding AES-encrypted commands within event descriptions and periodically checking them using OAuth2 tokens, mimicking legitimate synchronization behavior. Commands are decrypted using a hardcoded XOR key and executed via svchost.exe injection, while exfiltrated data is appended to new calendar events disguised as routine meetings. This technique is highly evasive, as 76% of enterprise firewalls whitelist Google services, allowing undisturbed data transit. APT41 further obfuscates C2 patterns using Cloudflare Workers subdomains as proxy relays. Key Indicators of Compromise (IOCs) include malicious image files (6.jpg, 7.jpg) containing XOR-encrypted PE headers. Defenders should monitor abnormal svchost.exe instances, inspect Google Calendar event metadata for BASE64 blobs, and restrict Google Workspace API permissions to mitigate similar threats. This operation highlights APT41’s continued evolution in exploiting trusted cloud services, a trend likely to proliferate among state-aligned threat actors.

(TLP: CLEAR) Comments: Users generally trust platforms like Google to be secure, but attackers are increasingly exploiting this trust to carry out cyberattacks. By using Google Calendar events for command-and-control (C2) operations, threat actors like APT41 can blend malicious activity with legitimate traffic, making detection difficult. Since many organizations whitelist Google services, malware communications can bypass traditional security measures unnoticed. This highlights the risks of relying too heavily on trusted providers without additional security controls. Users and organizations must remain vigilant, regularly audit cloud service permissions, and implement monitoring solutions to detect abnormal activity, even within platforms they consider safe.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.