March 17, 2025 – Cyber Briefing

👉 What’s happening in cybersecurity today?

OctoV2 Android Trojan, DeepSeek AI, Sensitive Information, Coinbase Phishing, Fake Wallet, PyPI Packages, Data Exfiltration, RedCurl APT, Law Firms, Cyber Espionage, Hackers, Cascading Style Sheets, Spam Filters, São Paulo Airport, Cyberattack, Spar Switzerland, Pelham School District, Germany, Kirkel Town Hall, Edesur Dominicana, EU Cyber Espionage Threat, Telecom Sector, White House, Cybersecurity Staff, FCC, Submarine Cable Security, Uber, Former CSO Joe Sullivan, GSMA, End-to-End Encryption, RCS Messaging.

Listen to the full podcast

🚨 Cyber Alerts

1. OctoV2 Trojan Poses as DeepSeek AI App

The OctoV2 Android banking trojan has been found disguising itself as the legitimate DeepSeek AI application. Distributed through a phishing website, the malware steals sensitive information like login credentials by tricking users into downloading a malicious APK. The trojan uses advanced evasion tactics, including password protection and persistent permissions, to gain control over the device and bypass detection.

2. Coinbase Users Targeted in Phishing Scam

A recent phishing attack has targeted Coinbase users by posing as a mandatory wallet migration. The scam emails falsely claim that Coinbase is transitioning to self-custodial wallets due to legal reasons, urging users to take immediate action to migrate their assets. The emails provide a pre-generated recovery phrase, which, when used to set up a new wallet, allows attackers to control the wallet and steal funds once users transfer their assets. Unlike other phishing scams, this one doesn’t involve malicious links but instead uses a legitimate Coinbase Wallet page to deceive victims into following the instructions.

3. Malicious PyPI Packages Steal Sensitive Data

Cybersecurity researchers recently uncovered a sophisticated campaign targeting users of the Python Package Index (PyPI) repository. The malicious packages, disguised as time-related utilities, are designed to steal sensitive data such as cloud access tokens, API keys, and environment variables. The attack utilizes a technique called combosquatting, which tricks developers by mimicking legitimate libraries. The malware employs advanced exfiltration methods, including encrypting stolen data and transmitting it through blockchain transactions, making it harder to detect.

4. RedCurl Targets Law Firms and Corporations

In January 2025, the RedCurl APT group, also known as EarthKapre, launched a sophisticated cyber espionage campaign aimed at law firms and corporate organizations. The attackers employed a multi-stage strategy, starting with phishing emails that included a disguised executable file, leading to the installation of malware on the victims’ systems. The group used legitimate tools like Adobe executables to sideload their malicious loader, making the attack difficult to detect.

5. Hackers Use CSS to Evade Spam Filters

Researchers have uncovered a trend where cybercriminals are using Cascading Style Sheets (CSS) to bypass spam filters and secretly track user behavior. Attackers employ methods like hidden text salting, where content is invisible to humans but disrupts detection systems, to evade security. These techniques allow hackers to gather sensitive information about recipients without their knowledge, making email attacks more sophisticated and harder to detect.

💥 Cyber Incidents

6. GRU Airport Website Hit by Cyberattack

GRU Airport, located in Guarulhos, Brazil, faced a cyberattack on its official website on Saturday, March 15, 2025. The attack caused temporary instability, leaving the site offline for several hours. Despite the disruption, airport operations were unaffected, and the company assured that security protocols were followed. The hacker known as “Azael” claimed responsibility, also mentioning a previous attack on the University of São Paulo (USP).

7. Spar Group Switzerland Struck by Cyberattack

Spar Group Switzerland was hit by a cyberattack on the night of March 13–14, 2025, causing significant disruption. The company’s IT systems were impaired, leaving stores unable to process payments through regular EC devices, forcing customers to pay with cash or Twint. Some products were temporarily unavailable, and the system for ordering goods was also affected. Spar’s management quickly enlisted cyber specialists to restore normal operations, and by Saturday, many stores could process card payments again.

8. Pelham School District Faces Cyberattack

Pelham School District in New Hampshire suffered a cyberattack that left its computers, phone lines, and email systems offline. The attack has disrupted the district’s ability to connect students and staff to online resources, including Chromebooks and Google Drive. Although the investigation is ongoing, it is unclear if personal data was compromised. Despite the setbacks, the district plans to continue learning offline during the two-week recovery period.

9. Cyberattack Forces Kirkel Town Hall Closure

A cyberattack struck the municipality of Kirkel in Saarland, Germany, on March 14, 2025, leading to the temporary closure of the town hall. The attack compromised communication systems, including email, and prompted the isolation of IT systems to protect data security. The local authorities, including the mayor, have engaged with the State Criminal Police Office and external experts to determine the cause and resolve the issue, while asking citizens to contact the administration for urgent matters by phone.

10. Edesur Dominicana Confirms Cyberattack

Edesur Dominicana confirmed it was targeted by a cyberattack but assured that no data had been compromised. The company addressed recent claims from the cybercriminal group Hunters International, who suggested they had access to Edesur’s data. Edesur has been working with the National Cybersecurity Incident Response Team to thoroughly assess the situation and verify the attackers’ claims. The company emphasized that its critical technological and operational infrastructure remained secure and unaffected, reassuring customers that their services were not disrupted.

📢 Cyber News

11. Denmark Raises Cyber Threat for Telecoms

Denmark’s cybersecurity agency has raised the cyber espionage threat level for European telecoms to high, citing an increase in state-sponsored attacks. These attacks, particularly from the Chinese-linked Salt Typhoon group, target telecom providers to steal sensitive customer data and monitor communications. The agency’s warning comes after similar campaigns were observed in the U.S. and other countries, with hackers exploiting vulnerabilities in network devices to gain persistent access.

12. White House Urges Agencies to Keep Staff

The White House has instructed federal agencies to avoid laying off cybersecurity personnel. This decision comes as agencies face significant budget cuts, and experts warn that reducing cybersecurity staffing could leave the nation vulnerable to cyberattacks. The administration emphasizes the importance of retaining skilled cybersecurity professionals to ensure national security and safeguard critical infrastructure.

13. FCC Revises Submarine Cable Cybersecurity

The FCC is conducting its first review of submarine cable rules since 2001, focusing on national security and cybersecurity. New proposals require applicants and licensees to implement risk management plans that ensure the confidentiality and availability of their systems. The review also suggests a three-year reporting requirement for landing licenses and calls for public comments to refine these regulations, which aim to bolster security measures and establish clearer jurisdiction and reporting requirements.

14. Court Upholds Conviction of Former Uber CSO

The U.S. Court of Appeals affirmed the conviction of former Uber CSO Joe Sullivan for obstructing justice in the 2016 hack. Sullivan was convicted after attempting to conceal a breach where hackers stole data from 57 million Uber users and 600,000 drivers. Despite his appeal, the court ruled the evidence supported that Sullivan knowingly participated in the coverup, rejecting his claim that a nondisclosure agreement could retroactively legalize the hackers’ actions.

15. GSMA Adds E2EE Support to RCS Messaging

The GSM Association has introduced end-to-end encryption (E2EE) for RCS messaging, enhancing security between Android and iOS devices. The new RCS Universal Profile 3.0 supports the Messaging Layer Security protocol, marking a significant milestone in mobile messaging security. This update not only strengthens privacy but also maintains RCS features like group chats and media sharing while ensuring safer cross-platform communication.