Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Android’s New Feature Stops Fraudsters from Sideloading Apps During Calls
Android 16 Beta 2 introduces a security feature that blocks app sideloading and accessibility changes during phone calls, thwarting scammers trying to trick users into installing malware. This measure aims to protect users from real-time fraud attempts.
Key takeaways:
📱 New Security Feature: Android 16 Beta 2 prevents app installation from unknown sources and accessibility modifications during calls.
🛑 Scam Protection: This feature targets fraudsters who exploit phone calls to deceive users into unsafe actions.
🔒 User Alert: Users are warned about potential scam risks when attempting to adjust settings during calls.
🚨 Immediate Implementation: The feature is already live in the beta, showcasing Google’s proactive approach to mobile security.
🌐 Broader Impact: This enhancement could significantly reduce the success rate of phone-based social engineering attacks.
Cybercriminal Leaks 12 Million Zacks Investment Accounts in Massive Data Breach
A cybercriminal named Jurak has leaked sensitive data from 12 million Zacks Investment accounts, marking the company’s third breach in four years. The stolen information includes emails, addresses, and more, urging affected users to enhance their security measures immediately.
Key takeaways:
🚨 Massive Breach: A cybercriminal known as Jurak compromised approximately 12 million Zacks Investment accounts in a data leak.
📊 Data Exposed: The breach includes email addresses, physical addresses, phone numbers, full names, and other user details.
🔍 Repeat Offender: This is Zacks’ third data breach since 2022, with prior incidents affecting 8.8 million users.
🕵️ Criminal Claim: The attacker initially claimed to have stolen 15 million records, but after analysis, this number was later adjusted to 12 million.
🛡️ User Action: Affected individuals should monitor accounts, update passwords, and consider identity theft protection.
PirateFi Game on Steam Caught Installing Password-Stealing Malware
Valve has removed PirateFi from Steam after discovering it installed Vidar malware, which hijacks browser cookies and steals passwords. Users downloading the game are urged to run antivirus scans and consider a full system reset.
Key takeaways:
🚨 Malware Alert: PirateFi, a free game on Steam, was found distributing Vidar malware, a password stealer.
🔒 Credential Theft: The malware targets browser cookies to access online accounts.
📈 Low Impact: The infection scope might be limited with only 5 concurrent players at its peak.
🛡️ Valve’s Response: The game was delisted, and warnings were sent to users who installed it.
🖥️ User Action: Affected users should run antivirus scans and might need to reset their PCs for safety.
Russian Phishing Campaigns Exploit Signal’s Device-Linking Feature
Russian hackers are targeting Signal users by exploiting its device-linking feature with fake QR codes, aiming to intercept secure chats. Stay cautious—verify QR codes and avoid scanning from untrusted sources!
Key takeaways:
🕵️♂️ Cyber Espionage: Russian threat actors are phishing Signal users, using the app’s “Linked Devices” feature to trick victims into scanning malicious QR codes.
📱 QR Code Deception: Disguised as legit invites (e.g., Kropyva app groups or Signal alerts), these QR codes link devices to attackers, exposing private messages.
🛠️ Tech Tactics: Older campaigns paired this with malware like Infamous Chisel, while newer ones focus on targeted phishing pages tailored to victims’ interests.
🛡️ Protection Push: Signal’s latest update adds safeguards, but users must remain vigilant and avoid unverified QR scans to stay secure.
New FrigidStealer Malware Targets macOS Users via Fake Browser Updates
Cyber security researchers have uncovered FrigidStealer, a new macOS malware spread through fake browser updates. This malware is part of a broader campaign by the TA2727 group, also known for distributing malware on Windows and Android.
Key takeaways:
❄️ FrigidStealer Introduction: A new malware targeting macOS, exploiting fake browser update prompts.
🖥️ Attack Method: Uses web injects to redirect users to download pages, where they’re tricked into installing the malware.
🔍 Threat Actor: Linked to TA2727, a group that targets Windows with Lumma Stealer and Android with Marcher.
🔓 Security Bypass: The malware requires manual launch to bypass macOS Gatekeeper, after which it steals sensitive data.
🚨 User Caution: macOS users should be wary of unexpected update notifications and only download from official sources.
Top Tips of the Week
Threat Intelligence
- Validate and verify threat intelligence. Ensure accuracy before taking action to avoid false positives and wasted resources.
- Educate your team on effective CTI utilization. Empower them to leverage threat intelligence for proactive defense.
- Learn from historical threat intelligence incidents. Analyzing past events provides insights for improving intelligence and incident response.
Threat Hunting
- Monitor the dark web for potential cyber threats targeting your organization. Gain insights into emerging risks.
- Integrate threat intelligence into threat modeling. Enhance your security posture by identifying potential threats early in the development process.
Custom Tooling
- Conduct thorough testing of custom tools in realistic scenarios. Simulate real-world conditions to identify and address potential issues.
- Regularly revisit and update custom tools. Evolving threats and changing requirements necessitate ongoing refinement.
Feature Video
The MITRE ATT&CK framework is the holy bible of cyber threat intelligence. It provides a common language for describing and categorizing adversarial tactics, techniques, and procedures (TTPs) based on real-world observations.
Let’s explore it in detail so you can start using it today!
Learning Resources
Validate Your Security Posture
You should be using cyber threat intelligence to validate your security controls. This great webinar from the makers of OpenCTI highlights the challenges organizations face when building a Threat-Driven security posture validation program and how to overcome them.
It discusses managing vast amounts of threat data, ensuring real-time readiness against evolving attacks, and operationalizing security insights effectively by integrating continuous assessment, automation, and purple teaming.
A great presentation that highlights the security benefits CTI can bring to an organization!
Learn the Detection Engineering Process
In this presentation by Hayden Covington from Black Hills Security, learn the detection engineering process, from formulating a hypothesis to testing queries to continuous deployment. He covers how to use the scientific method to ensure your detections are consistent, accurate, and effective in the long term.
Key takeaways include documenting detection logic, validating queries through backtesting, implementing canaries to ensure ongoing effectiveness, and maintaining a continuous improvement cycle. A must-watch for any SOC analyst!
Find Out Who Is Attacking You
Researching who is likely to target your organization can be daunting. Fear not. Andy Piazza (SANS) has developed an excellent framework to help you rank threat actors and quantify their intent and capabilities, making it easier to determine who will target you.
In this presentation, he walks you through the Threat Box model that aims to bridge gaps in traditional risk models by considering human elements, such as intent and willingness, rather than just technical capabilities. He emphasizes historical threat intelligence, existing attack patterns, and geopolitical factors to assess threat levels accurately.
I highly recommend trying the Threat Box model when performing threat modeling or profiling!
Don’t Get Overwhelmed by AI: Start Learning Today
AI advancements in 2025 are overwhelming, but the key is to navigate them efficiently. This video from Jeff Su highlights an “AI-native” approach, where users focus on practical applications rather than getting lost in hype.
It presents three main challenges: tool paralysis (too many choices), “death by prompts” (struggling with AI input), and update suffocation (constant AI news). By building a minimal AI toolkit, embedding prompts into workflows, and filtering only valuable AI updates, users can master AI without feeling overwhelmed.
You should be using AI at some level; this video is a great place to start learning how!
