{ "id": "8a4de395-212e-46d8-b851-e05f799222a7", "created_at": "2026-04-06T00:19:41.365701Z", "updated_at": "2026-04-10T03:37:04.454573Z", "deleted_at": null, "sha1_hash": "29c2ca9116bd72bd0db9559d418244104a31ee63", "title": "Avast Q2/2023 threat report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 11440494, "plain_text": "Avast Q2/2023 threat report\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-02 11:12:41 UTC\r\nForeword \r\nThis quarter has been nothing short of extraordinary, with cyber-threat activity reaching its highest point in the\r\npast three years. We take this opportunity to offer you insights into the challenges we encountered in safeguarding\r\nour users against all these malicious threats. \r\nIn Q2/2023, our detection telemetry revealed a significant increase in overall cyber-threat risk. The risk ratio,\r\nreflecting the proportion of users protected from cyber threats out of all our protected users, rose by 13% quarter-on-quarter, reaching a concerning 27.6%. Moreover, the volume of unique blocked attacks surged by 24% over the\r\nsame period, resulting in an average of close to 700 million unique blocked attacks each month. \r\nDuring the quarter, we observed a notable shift in threat trends. While traditional consumer-focused cyber threats\r\nsaw a slight decline, there was a dramatic surge in social engineering and web-related threats, such as scams,\r\nphishing, and malvertising. These threats accounted for more than 75% of our overall detections on desktops\r\nduring the quarter, with scams alone contributing to 51% of the total detections.\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 1 of 44\n\nThe prevalence of malvertising and malicious browser push notifications have also witnessed a dramatic increase,\r\nalong with the proliferation of dating scams and extortion emails. More detailed information on these emerging\r\nthreats can be found in the subsequent sections of this report. \r\nWhile adware exhibited a slight decline in prevalence, it continues to persist across desktop, mobile, and browser\r\nplatforms. One notable example is the HiddenAds campaign, which resurfaced on the Google Play Store and\r\namassed tens of millions of downloads during its reign. \r\nAnother noteworthy observation was the discovery of the Mustang Panda APT group’s attempt to infiltrate and\r\ninfect TP-Link routers through compromised firmware. We also closely monitored the progress of the DDosia\r\nproject, witnessing participants of this threat group targeting the Wagner Group infrastructure in response of its\r\nephemeral rebellion in Russia. \r\nMalicious coinminers, while experiencing a slight decline, posed unique challenges for its authors due to the shift\r\nfrom proof-of-work to proof-of-stake schema that recently happened in many cryptocurrencies. And some of the\r\nmalware authors struggled to adapt, leading to the observed decrease in coinminer prevalence during this quarter.\r\nOur researchers also discovered HotRat in the wild, a .NET reimplementation of AsyncRat, featuring numerous\r\nnew commands and features.  \r\nIn addition, I am pleased to highlight another significant achievement by our researchers. Avast’s discovery of\r\nCVE-2023-29336, a local privilege escalation vulnerability targeting win32k in the Windows kernel, led to a\r\nprompt patch in the May Patch Tuesday security update. While we shared a proof-of-concept exploit with\r\nMicrosoft, we have responsibly withheld public disclosure of technical details to prioritize user safety. \r\nHowever, ransomware remains an ongoing concern. Despite a slight decline in prevalence, ransomware authors\r\npersist in targeting victims, relying increasingly on targeted attacks and exploits to penetrate company networks.\r\nNotably, successful attacks on widely used software, such as PaperCut and MOVEit, underscore the evolving\r\ntactics of ransomware operators, who more than ever experiment with encryption-less extortion techniques and\r\ndoxing. \r\nOn a positive note, we are pleased to share that our efforts have led to the development of a free decryption tool\r\nfor Akira Ransomware. This tool has already assisted numerous victims of ransomware attacks in restoring their\r\nfiles and businesses, further solidifying our commitment to providing solutions and assistance to those in need. \r\nThank you for reading and placing your trust in Avast. Stay safe and secure. \r\nJakub Křoustek, Malware Research Director\r\nMethodology \r\nThis report is structured into two main sections: Desktop-related threats, where we describe our intelligence\r\naround attacks targeting the Windows, Linux, and Mac operating systems, with a specific emphasis on web-related\r\nthreats, and Mobile-related threats, where we describe the attacks focusing on Android and iOS operating\r\nsystems. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 2 of 44\n\nWe use the term “risk ratio” in this report to denote the severity of specific threats. It is calculated as a monthly\r\naverage of “Number of attacked users / Number of active users in a given country.” Unless stated otherwise,\r\ncalculated risks are only available for countries with more than 10,000 active users per month. \r\nA blocked attack is defined as a unique combination of the protected user and a blocked threat identifier within the\r\nspecified time frame. \r\nIn this report, we also slightly redefined the “Information Stealers” malware category. Moving forward, this\r\ncategory will encompass the following malware types: banking trojans, keylogger, password stealers (also known\r\nas pws), spyware, clipper, cryptostealer, exfilware, stalkerware, and webskimming. We also recalculated the\r\nrelated statistics so that we can provide you with the correct comparisons with the previous quarters. \r\nFeatured Story: The Rise of Scams \r\nScams, much like the many forms of deception and trickery that preceded them, have always been an inherent part\r\nof the human experience. In a digital era where information is largely exchanged through the Internet, these acts of\r\ndeceit have found a fertile ground to evolve and proliferate, posing a significant threat to online safety. \r\nScams have transitioned from the physical to the digital world with alarming ease, leveraging the anonymity and\r\nexpansive reach provided by the Internet. Today’s scams employ a wide array of sophisticated tactics that range\r\nfrom financial and charity scams to online dating scams and deceptive advertising. The mechanisms may vary, but\r\nthe end goal remains the same – to deceive unsuspecting individuals into revealing sensitive information or\r\nparting with their hard-earned money. \r\nFurthermore, a related threat type, Phishing, accounted for another 25% of all threats. Phishing attempts often\r\nmasquerade as legitimate requests for information, typically from a well-known and trusted entity such as a bank\r\nor a government agency. They prey on human instincts of trust and urgency, compelling victims to divulge\r\nconfidential information or engage in financial transactions under false pretenses. \r\nThe rapid evolution of technology has led cybercriminals to adapt and innovate. They have harnessed AI tools to\r\ncraft nearly flawless imitations of legitimate communication, making it increasingly difficult for individuals to\r\ndifferentiate between what is real and what isn’t. Furthermore, the adoption of smishing – or phishing through\r\nSMS – has capitalized on the high open rates and inherent trust individuals place in text messages. \r\nThe data from Q2/2023 signifies a shift in the cybersecurity landscape. Threat actors are opting for the\r\npsychological manipulation afforded by scams and phishing rather than the technical exploits found in traditional\r\nmalware attacks. As a result, our defense must adapt, focusing not just on improving technological measures but\r\nalso on building awareness and promoting skepticism toward unsolicited communication. \r\nIn March we uncovered a new Instagram scam using fake SHEIN gift cards as lure. During Q2, we have found\r\nthat the scammers are widening their operations, covering more countries such as Israel. They have also evolved\r\nand moved on from fake SHEIN gift cards to a maybe more appealing iPhone 14 targeting users in Mexico and\r\nSpain, such as the example below. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 3 of 44\n\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 4 of 44\n\nRecent scam utilizing Apple iPhones as lure in Spain and Mexico\r\nThe outcome remains the same: victims never receive the promised price; instead, they find themselves subscribed\r\nto an unfamiliar service they have no knowledge of. \r\nDuring these past three months, we have documented other scams as well. Avast Threat Labs identified a new data\r\nextortion scam targeting companies via email, seemingly from a ransomware or data extortion cyber gang. The\r\nemails, addressed to employees by their full names, claim a security breach has occurred, with a significant\r\namount of company information stolen, including employee records and personal data. Senders purport to be from\r\nransomware groups like “Silent Ransom” or “Lockffit.” The emails press employees to notify their managers\r\nabout the situation, threatening to sell the stolen data if ignored, and remind the recipients about the regulatory\r\npenalties of data breaches. \r\nHowever, these communications appear to be more scare tactics than actual extortion campaigns following a data\r\nbreach. It’s an effort to intimidate decision-makers into paying to prevent further consequences like having their\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 5 of 44\n\ndata sold or facing potential regulatory fines. There’s no offered proof of the breach other than possession of the\r\nrecipient’s email and name. Avast has captured identical scam messages targeting different organizations, merely\r\nchanging details like the recipient’s name, the contact email, the supposed amount of stolen data, and even the\r\nalleged cybercriminal group. This modus operandi points to semi-automated attacks using a list of targets, akin to\r\nsextortion tactics. \r\nIn fact, this quarter a new sextortion campaign was uncovered by Avast. Sextortion scams are email-based\r\ncyberattacks where the scammers claim to have taken control of your system, often saying they have recorded\r\nyour activities through your device’s cameras and demanding payment to keep your privacy intact. The scammers\r\ncapitalize on the victim’s fear and embarrassment, hoping for quick payment to avoid potential exposure. \r\nOne of the nastiest scams we have detected is this disturbing crowdfunding scheme exploiting public generosity.\r\nThe scam involves a series of emotionally charged video ads, narrating the story of a cancer-stricken child named\r\n“Semion,” soliciting urgent financial aid for his treatment. These videos, primarily in Russian with multilingual\r\nsubtitles, have been shared on platforms like YouTube and Instagram, eliciting significant monetary donations\r\nfrom empathetic viewers directed towards a donation page offering multiple payment methods. \r\nAmidst these rising threats, it is essential to remember the fundamental rule of the Internet: trust, but verify. The\r\nshift towards a more scam-dominant threat landscape emphasizes the importance of digital literacy and security\r\nawareness for consumers. \r\nIn conclusion, the surge in scams and phishing incidents during Q2/2023 underscores a shifting threat landscape\r\nthat demands adaptable, well-informed, and proactive cybersecurity measures. The cornerstone of these measures\r\nmust be comprehensive education and awareness initiatives designed to empower users in recognizing and\r\neffectively responding to these deceptive and damaging attacks. \r\nLuis Corrons, Security Evangelist\r\nAdvanced Persistent Threats (APTs) \r\nAn Advanced Persistent Threat (APT) is a type of cyberattack that is carried out by highly skilled and determined\r\nhackers who have the resources and expertise to penetrate a target’s network and maintain a long-term presence\r\nundetected. \r\nAvast researchers have been diligently monitoring the activities of the notorious hacking group Mustang Panda\r\nand their exfiltration server. During our investigation, a significant development emerged when the researchers\r\ndiscovered several new binaries on the server, one of which being a malicious firmware image that was\r\ncustomized for targeting TP-Link routers. This firmware image turned out to be laden with malevolent\r\ncomponents, among them a particularly troublesome custom MIPS32 ELF implant. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 6 of 44\n\nRemote commands execution functionality found in Mustang Panda’s malicious firmware image\r\nThe implications of this custom implant are unsettling, as it affords the attacker three key functionalities. First, the\r\nattackers can execute arbitrary shell commands remotely on the infected router, granting them substantial control\r\nover the device from a distance. Secondly, the implant facilitates file transfer to and from the infected router,\r\nproviding a means for the attackers to upload and download files which could lead to data theft or the\r\ndissemination of harmful payloads. Finally, the implant enables SOCKS protocol tunnelling, serving as a\r\ncommunication relay between different clients, further masking the attacker’s identity and complicating their\r\ndetection. The method used by the attacker to infect the router devices with the malevolent implant remains\r\nunknown. Overall, the threat group continues its operation in multiple countries including Hong Kong, Vietnam,\r\nPhilippines continuously testing new techniques and malware. Simultaneously, they utilize well known tools such\r\nas Korplug and Cobalt Strike. \r\nLazarus, another infamous group notorious for their involvement in numerous high-profile cyberattacks, has\r\ncarried out a fresh social engineering campaign this quarter. Their targets are blockchain-related developers,\r\nenticed through deceptive job assessments as a means to introduce malware. This strategy aims to compromise\r\ndevelopers, potentially leading to significant security breaches and data compromises. \r\nThe Gamaredon APT group is demonstrating persistence in pursuing their malicious objectives, with Ukrainian\r\ninstitutions remaining a primary focus of their cyber-espionage operations. The group has a history of launching\r\nsophisticated attacks against government entities, military organizations, and critical infrastructure within Ukraine.\r\nTheir modus operandi involves using spear-phishing emails, malicious documents, and social engineering\r\ntechniques. \r\nDoNot APT remains actively engaged in targeting the Pakistan government and military. We have identified a\r\nseries of phishing emails containing LNK files to deliver the payload. \r\nLuigino Camastra, Malware Researcher\r\nIgor Morgenstern, Malware Researcher\r\nAdware \r\nAdware is considered unwanted if installed without the user’s consent, tracks browsing behavior, redirects web\r\ntraffic, or collects personal information for malicious purposes such as identity theft. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 7 of 44\n\nCompared to last quarter, we have seen the beginning of a downward trend in desktop adware in Q2/2023, as the\r\ngraph below illustrates. In the next quarter, we will see if this is a long-term trend or just a seasonal fluctuation\r\nsince we did not notice any significant adware campaigns in this quarter. \r\nGlobal Avast risk ratio from desktop adware for Q1/2023 and Q2/2023\r\nIn the previous quarter, DealPly adware established itself as a leading force within the adware landscape with a\r\n15% share. The map below shows that DealPly’s risk ratio has increased globally by almost twice as much\r\ncompared to Q1/2023.\r\nMap showing global risk ratio for DealPly adware in Q2/2023\r\nIn contrast to the rise of DealPly, the risk of all adware strains is about half as much as Q1/2023. The significant\r\nincrease in adware activity we observed in East Asia, namely Japan, Taiwan, and China, in Q1/2023 has stabilized\r\nwith the overall average of Q2/2023. The complete risk ratio is illustrated in the map below. \r\nMap showing the global risk ratio for Adware in Q2/2023\r\nAdware Share \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 8 of 44\n\nDealPly remains the undisputed market leader, holding a substantial 31% share. Smaller shares are allocated to\r\nother adware strains as follows: \r\nRelevantKnowledge (7%) \r\nBrowserAssistant (3%) \r\nNeoreklami (2%) \r\nNevertheless, lesser-known adware strains managed to capture a significant 32% market share in Q2/2023. The\r\nprevailing variant of these adware strains typically operates by intercepting user clicks on random hyperlinks and\r\nsubstituting them with redirects to advertising websites. \r\nThe following table provides a distribution of ad domains observed in the wild during the current and previous\r\nquarters. It is evident that ad domains are rotated dynamically each quarter to evade detection by ad blockers and\r\nother detection systems. \r\nQ2/2023 Q1/2023\r\noovaufty[.]com (↑ 30%) oovaufty[.]com (↑16%)\r\nptuvauthauxa[.]com (↑ 23%) ptuvauthauxa[.]com (↓19%)\r\nsaumeechoa[.]com (↓ 15%) saumeechoa[.]com (↑53%)\r\nninoglostoay[.]com (↑ 9%) ninoglostoay[.]com (7%)\r\ncaumausa[.]com (5%) —\r\napplabzzeydoo[.]com (3%) —\r\nad2upapp[.]com (↑ 2%) ad2upapp[.]com (↓1%)\r\nRepresentation of ad servers in the wild for Q2/2023 and Q1/2023\r\nAdware tries to unobtrusively redirect users to websites that provide free software downloads or other products\r\nbut also to dangerous content. In a separate section, we will overview the most common Web-based Adware in\r\nQ2/2023.\r\nMartin Chlumecký, Malware Researcher\r\nBots\r\nBots are threats mainly interested in securing long-term access to devices with the aim of utilizing their resources,\r\nbe it remote control, spam distribution, or denial-of-service (DoS) attacks.\r\nWe have continued to track the activities of notorious threat group NoName057(16), notably their DDosia project.\r\nThe release of our latest blogpost on the threat coincided with an update of DDosia’s protocol. Just a day after the\r\nrelease, the protocol was updated to include encryption.  \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 9 of 44\n\nThe most notable bot attack of Q2/2023 was the one following the Wagner Group rebellion. Just hours after the\r\nstart of the rebellion, DDosia released a configuration targeting Wagner Group webpages which were up for\r\nalmost a day. In contrast to usual operations, this attack wasn’t announced on the project’s Telegram channel. It is\r\nalso worth noting that this attack was unsuccessful, and the targeted webpages were accessible throughout the\r\nDDoS attack without restrictions.  \r\nWhile it may seem unexpected for a Russian group to choose a Russian target, it seems to be well within their\r\nusual modus operandi which follows pro-government Russian interests. As for the group’s development, it seems\r\nthat the project’s growth is slowly reaching its plateau with the current number of volunteers being around\r\n11,500. \r\nThe size of DDosia community over last 4 months.\r\nThe overall botnet landscape to be rather stable, with a slight decline in risk ratio and no significant changes in the\r\nfamily distribution in comparison to the previous quarter. The only significant outlier is the MyKings family that\r\nhas increased in activity by circa 20%.\r\nGlobal risk ratio in Avast’s user base regarding botnets in Q2/2023\r\nAdolf Středa, Malware Researcher\r\nCoinminers\r\nCoinminers are programs that use a device’s hardware resources to verify cryptocurrency transactions and earn\r\ncryptocurrency as compensation. However, in the world of malware, coinminers silently hijack a victim’s computer\r\nresources to generate cryptocurrency for an attacker. Regardless of whether a coinminer is legitimate or malware,\r\nit’s important to follow our guidelines.\r\nIn the ever-evolving landscape of cryptocurrency mining, coinminers have been facing a continuous decline in\r\ntheir activity, a trend that has persisted over time. When compared to Q1/2023, we observed a 4% decrease in the\r\nrisk ratio.\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 10 of 44\n\nThis sustained decline can be largely attributed to the growing adoption of proof-of-stake (PoS) protocols by\r\nvarious cryptocurrencies. PoS is considered a more energy-efficient and environmentally friendly alternative to\r\nthe traditional proof-of-work (PoW) consensus mechanism used in coinmining.\r\nGlobal risk ratio in Avast’s user base in regard to coinminers in Q2/2023\r\nIn Q2/2023, users in Serbia faced the highest risk of encountering a coinminer once again, with a risk ratio of\r\n5.80%. Following closely were Montenegro with 4.58%, Madagascar with 3.76%, and Bosnia and Herzegovina\r\nwith a risk ratio of 3.17%.\r\nGlobal risk ratio for coinminers in Q2/2023\r\nCoinminer XMRig saw an increase in activity during Q2/2023, with its market share rising by 13% to reach\r\n18.13%. Additionally, FakeKMSminer and VMiner became more prevalent, with their market shares increasing by\r\n16% and 47% respectively, now holding 2.19% and 1.92% of the market each. Conversely, CoinBitMiner,\r\nCoinHelper, and NeoScrypt experienced declines of 7%, 13%, and 3% respectively, each holding roughly 1% of\r\nthe market. Web miners also lost 2% of the market share, though they still dominate as the most prevalent form of\r\ncoinmining, accounting for 65% of the market. \r\nThe most common coinminers in Q2/2023 were: \r\nWeb miners (various strains) \r\nXMRig \r\nFakeKMSminer \r\nVMiner \r\nCoinBitMiner \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 11 of 44\n\nCoinHelper \r\nNeoScrypt\r\nJan Rubín, Malware Researcher\r\nInformation Stealers \r\nInformation stealers are dedicated to stealing anything of value from the victim’s device. Typically, they focus on\r\nstored credentials, cryptocurrencies, browser sessions/cookies, browser passwords and private documents. \r\nDuring Q2/2023, information stealers experienced a 14% decrease in activity, mainly due to Raccoon Stealer and\r\nRedLine. These two saw their market shares drop by 31% and 36%, respectively. \r\nGlobal risk ratio in Avast’s user base in regard to information stealers in Q2/2023\r\nLooking at the countries where we have more significant userbase, the highest risk of information stealer\r\ninfections currently exists in Pakistan, Turkey, and Egypt, with risk ratios of 2.62%, 2.23%, and 2.22%,\r\nrespectively. Surprisingly, during Q2/2023, there was a decrease in activity across almost every region, except for\r\nSwitzerland (+7% risk ratio), Bulgaria (+2%), and Japan (+1%). \r\nMap showing global risk ratio for information stealers in Q2/2023\r\nBased on our data, AgentTesla holds the title of the most prevalent information stealer, with a market share of\r\n27%. It experienced a noteworthy increase in activity during Q2/2023, boosting its market share by 26%.\r\nFormBook (11% market share), Fareit (5%), and Lokibot (5%) also saw their minor market shares rise. On the\r\nother hand, ViperSoftX maintained its levels with a slight 2% decrease in activity, now holding a 2.2% market\r\nshare. As for Raccoon Stealer and RedLine, they currently hold market shares of 7% and 6%, respectively. \r\nThe most common information stealers in Q2/2023 were: \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 12 of 44\n\nAgentTesla \r\nFormBook  \r\nRaccoon Stealer \r\nRedLine  \r\nFareit \r\nLokibot \r\nViperSoftX \r\nRaccoon Stealer is constantly evolving. The malicious actors responsible for this threat have recently integrated\r\nSignal Desktop into their configuration, meaning they can now steal data from the popular communicator’s\r\ndesktop clients, expanding their reach and potential impact on victims’ privacy and security. \r\nSource: https://twitter.com/AvastThreatLabs/status/1648688808664215555 \r\nAdditionally, new information stealers have entered the scene. One such stealer is Meduza Stealer used for data\r\ntheft, compromising information such as login credentials, browsing history, bookmarks, crypto wallets, and more.\r\nAnother stealer is Mystic Stealer that steals various information from infected systems, including computer\r\ndetails, user geolocation, web browser data, and cryptocurrency wallet information. \r\nClippers – another type of information stealer – are malware designed for clipboard hijacking and manipulation,\r\nusually focusing on cryptocurrency theft. They operate by monitoring the victim’s clipboard for copied wallet\r\naddresses. When a clipper detects a cryptocurrency address being copied, the malicious code discreetly swaps it\r\nwith the attacker’s address. As a result, unsuspecting victims end up sending their digital assets to the attacker’s\r\nwallet instead of the intended recipient, leading to financial losses. \r\nLaplas Clipper is one of the clippers that has gained popularity during Q2/2023. According to our data, it\r\nincreased its market share by 224% compared to the previous quarter, now holding 1.49% of the entire\r\ninformation stealers market share. \r\nJan Rubín, Malware Researcher\r\nRansomware  \r\nRansomware is any type of extorting malware. The most common subtype is the one that encrypts documents,\r\nphotos, videos, databases, and other files on the victim’s PC. Those files become unusable without decrypting\r\nthem first. In order to decrypt the files, attackers demand money, “ransom”, hence the term ransomware. \r\nThe overall risk ratio in ransomware declined slightly in Q2/2023 compared to the previous quarter: \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 13 of 44\n\nRansomware spreading in 2023\r\nIn Q2, countries with the highest prevalence of ransomware threats were:\r\n1. Mozambique\r\n2. Papua New Guinea\r\n3. Afghanistan\r\n4. Angola\r\n5. Ghana\r\n6. Republic of Korea\r\nMap showing global risk ratio for ransomware in Q2/2023\r\nThe most prevalent ransomware strain in our userbase for the quarter were: \r\n1. WannaCry\r\n2. STOP\r\n3. Magniber\r\n4. GlobeImposter\r\n5. Hidden Tear\r\n6. Target Company\r\n7. LockBit\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 14 of 44\n\nVulnerabilities on the Rise \r\nA number of software vulnerabilities were used during the ransomware attacks in Q2/2023. Those included\r\nvulnerabilities in a widely used 3rd party software or leveraging of a vulnerable driver. \r\nThe most havoc in the ransomware world was caused by the CVE-2023-34362 vulnerability in the Progress\r\nMOVEit Transfer software. Unpatched versions of the MOVEit Transfer suffer from an SQL-injection\r\nvulnerability that allowed for unauthorized access to the MOVEit database as stated by the security advisory from\r\nProgress. Progress has since issued a patch to fix the vulnerability. \r\nAnother software vulnerability that was abused by threat actors to gain unprivileged access to the companies was\r\nin PaperCut, a print management software. As explained in the security advisory, there is a remote code execution\r\n(RCE) vulnerability, allowing to run a code on the PaperCut server without authentication. This vulnerability was\r\nabused by multiple ransomware gangs, such as Cl0p, LockBit and Bl00dy. \r\nPapercut has since fixed these vulnerabilities. Users running PaperCut MF and PaperCut NG versions lower than\r\n20.1.7, 21.2.11, and 22.0.9 should update their systems immediately to close this attack surface. \r\nAdditionally, the BlackCat ransomware was observed to be using a malicious driver to terminate running security\r\nsoftware. A driver is a software component that runs in the very core of an operating system (in the kernel). As\r\nsuch, it needs to run with the highest permissions that are available in the operating system. \r\nThe Windows operating system protects its eco-system by only allowing drivers that are signed by a trusted\r\ncertificate. But there is a catch: the driver used by the BlackCat ransomware is signed by a stolen, valid certificate.\r\nSuch driver, even if the certificate was revoked, can still be loaded by Windows 10 even with the latest updates: \r\nAkira Ransomware \r\nAkira is a strain of ransomware that emerged in March 2023. This ransomware is written in the modern C++,\r\nwhich promises an elevated level of compatibility across multiple operating systems. It is no surprise that a Linux\r\nversion appeared soon after the initial launch. Apart from replacing MS CryptoAPI (which is Windows-specific)\r\nby Crypto++(which is multi-platform), the code remained mostly unchanged, including the exclusion list that has\r\nno meaning on Linux operating system. The list is as follows: \r\nwinnt \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 15 of 44\n\ntemp  \r\nthumb \r\n$Recycle.Bin  \r\n$RECYCLE.BIN  \r\nSystem Volume Information  \r\nBoot  \r\nWindows  \r\nTrend Micro \r\nAvast discovered a flaw in the cryptography schema of Akira and published a decryptor that can help victims\r\nrecover their data. However, Akira authors reacted swiftly and released an updated version of their encryptor that\r\nis no longer decryptable. Newer versions of the Akira ransomware use different extension for encrypted files; the\r\nAvast decryptor can only decrypt files that have the .akira extension. Nonetheless, many of the victims of the\r\noriginal version were able to recover their data and restore their businesses with the help of the Avast decryption\r\ntool. \r\nNew trend: Encryption-less ransomware \r\nEncrypting user files is not a simple task. A typical computer may have gigabytes of potentially large data files –\r\nmovies, music, ISO images, virtual machines. Those files’ encryption takes a lot of CPU work and raises red flags\r\nfor security solutions.  \r\nTo help bypass these security solutions, a new trend was observed by ZScaler researchers – encryption-less\r\nransomware. Instead of data encryption, such ransomware focuses on pure data extortion. Attackers then threaten\r\nto publish the data, which can severely damage the victim’s reputation or expose their intellectual properties. \r\nLadislav Zezula, Malware Researcher\r\nJakub Křoustek, Malware Research Director\r\nRemote Access Trojans (RATs)  \r\nA Remote Access Trojan (RAT) is a type of malicious software that allows unauthorized individuals to gain remote\r\ncontrol over a victim’s computer or device. RATs are typically spread through social engineering techniques, such\r\nas phishing emails or infected file downloads. Once installed, RATs grant the attacker complete access to the\r\nvictim’s device, enabling them to execute various malicious activities, such as spying, data theft, remote\r\nsurveillance, and even taking control of the victim’s webcam and microphone. \r\nIn Q2/2023, Remcos continued to increase its share of attacks among other RATs. We saw the largest increase In\r\nEurope, Canada, South Africa, Vietnam and Indonesia where it gained a little over 30 %, while in the rest of the\r\nworld its share slightly declined. In overall Remcos gained 22% compared to Q1/2023. The overall risk ratio of\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 16 of 44\n\nRATs slightly decreased compared to Q1/2023, however, looking solely at numbers for this quarter the trend\r\nseems to be going up with April being the calmest month. \r\nGlobal risk ratio in Avast’s user base regarding RATs in Q2/2023 compared to Q1/2023\r\nGlobal risk ratio in Avast’s user base regarding RATs in Q2/2023\r\nCountries with the highest risk ratio for RATs are Afghanistan, Iraq, and Algeria with the most prevalent threats\r\nbeing HWorm and njRAT. The countries with the highest increase in risk ratio are Bulgaria, Belgium and Serbia\r\ndue to the activity of Remcos as mentioned above.\r\nMap showing global risk ratio for information stealers in Q2/2023\r\nAnother strain with considerable market share gain of 25% is Warzone which was mostly active in Greece,\r\nBulgaria, Serbia and Croatia. Conversely, NetWire saw a drop of 60%, which is the largest decrease of all RAT\r\nAvast tracks. This may be related to the takedowns and arrests of cyber groups which happened in Q1/2023. \r\nThe most prevalent remote access trojan strains in the Avast userbase are: \r\nHWorm \r\nRemcos \r\nnjRAT \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 17 of 44\n\nWarzone \r\nAsyncRat \r\nQuasarRAT \r\nNanoCore \r\nGh0stCringe \r\nDarkComet \r\nLimeRAT \r\nWe have published a blog post detailing the workings and infection vector of HotRat. HotRat is a\r\nreimplementation of AsyncRat in .NET. This new rewritten version adds multiple new commands which are\r\nfocused mostly on stealing data from victim machines. HotRat is being spread through pirated software such as\r\nproducts by Adobe and Microsoft, video games, and premium system and development tools like IObit Driver\r\nBooster, VMware Workstation or Revo Uninstaller Pro. \r\nResearchers from Avira also discovered a new RAT named ValleyFall which can log keyboard input, gather\r\ninformation from the victim’s system, download and execute other executables and more. According to their data,\r\nthe United States is the most affected country. \r\nGobRAT is another RAT written in the programming language Go, capable of infecting Linux routers as reported\r\nby JPCERT/CC. It supports multiple architectures (ARM, MIPS, x86, x86-64). GobRAT has 22 commands\r\navailable among them using reverse shell connection, running SOCKS5 proxy, attempting to log in to services\r\nrunning on other machines (sshd, Telnet, Redis, MYSQL, PostgreSQL) or carrying out DDOS attacks. \r\nOndřej Mokoš, Malware Researcher\r\nRootkits\r\nRootkits are malicious software specifically designed to gain unauthorized access to a system and obtain high-level privileges. Rootkits can operate at the kernel layer of a system, which grants them deep access and control\r\nincluding the ability to modify critical kernel structures. This could enable other malware to manipulate system\r\nbehavior and evade detection. \r\nAs reported in Q1/2023, we observed a downward trend in rootkits beginning in Q4/2022. If we compare the\r\nprevious and the current quarter, we continue to see a decline, with the rate slightly tapering off. The next quarter\r\nshould show whether the downward trend of rootkits is long term. The chart below shows the rootkit activity for\r\nthe previous three quarters. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 18 of 44\n\nRootkit risk ratio in Q4/2022 – Q2/2023\r\nGlobal risk ratio for rootkits in Q2/2023\r\nWhen considering the risk ratio on a country-by-country basis, China continues to hold the top position in terms of\r\nthe magnitude of rootkit activities. \r\nFor the first time, we monitored the downtrend trend of the R77RK rootkit activity, which dominated the\r\nlandscape for nearly 5 quarters. In Q2/2023, the R77RK market share is only 18% whereas the share was 40% on\r\naverage for the previous year. In addition, the last R77RK release was on June 6, 2023, but was only a minor bug\r\nfix. \r\nIn Q1/2023, we noted a reduction in R77RK releases, which probably caused the drop in the prevalence of the\r\nR77RK activities in the wild. We therefore expect a gradual decrease in the activities of this rootkit in the next\r\nquarter based on the graph below, which shows a downward trend in activities from Q1/2023.\r\nR77Rootkit risk ratio in Q4/2022 – Q2/2023\r\nThe market share also includes approximately 25% of rootkits of unspecified strains which are used as kernel\r\nproxies for various activities with higher system privileges such as killing processes, modifying network\r\ncommunication, etc. \r\nBelow you can see the complete list of clearly identified Windows rootkit strains, along with their corresponding\r\nmarket shares: \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 19 of 44\n\nCerbu (7%) \r\nAlureon (7%) \r\nPerkesh (6%) \r\nZeroAccess (3%) \r\nThe market share for clearly identified rootkit strains is the same as the previous Q1/2023 quarter. \r\nIn terms of Linux operating systems, we continue efficiently discovering and tracking new Linux Kernel rootkits,\r\nfor instance, we were first detecting Chicken or NetHid. We saw an increase in rootkits using magic packets, for\r\ninstance NetHid handles a UDP magic packet for executing a malicious user-mode application. \r\nAs you already know from the Syslogk rootkit, we are tracking threat actors in the development stage allowing us\r\nto early detect advanced threats but also PoCs and tools that they use during development (e.g. kernel modules for\r\ntesting). \r\nMartin Chlumecký, Malware Researcher\r\nDavid Álvarez, Malware Analyst\r\nVulnerabilities and Exploits \r\nExploits take advantage of flaws in legitimate software to perform actions that should not be allowed. They are\r\ntypically categorized into remote code execution (RCE) exploits, which allow attackers to infect another machine,\r\nand local privilege escalation (LPE) exploits, which allow attackers to take more control of a partially infected\r\nmachine. \r\nThe May Patch Tuesday security update contained a patch for CVE-2023-29336, a local privilege escalation\r\nvulnerability discovered by Avast researchers in the wild. This is a kernel exploit that targets a vulnerability in\r\nwin32k, a subsystem providing graphics functionality in the Windows kernel. We shared a proof-of-concept\r\nexploit with Microsoft along with our vulnerability report, but we did not make any technical details about this\r\nvulnerability public. However, fellow researchers from Numen Cyber analyzed the patch and published a great\r\nwrite-up and a proof-of-concept exploit. \r\nWhile the win32k subsystem has always been a frequent target of exploits, there are some encouraging signs that\r\nindicate this subsystem might be getting more secure. First of all, Microsoft developed a number of win32k-specific exploit mitigations and security improvements over the years. Many of these aimed to eliminate kernel\r\naddress leaks and break known exploitation primitives. A less-known security improvement is that Microsoft\r\nturned many raw pointers into smart pointers. This effectively made the CVE-2023-29336 use-after-free condition\r\nnot exploitable on Windows 11, as well as on the latest builds of Windows 10. Furthermore, browsers such as\r\nChromium adopted a mitigation sometimes known as “win32k lockdown“, which reduces the browser sandbox\r\nattack surface and makes win32k exploits impossible for sandbox escape exploits. Last but not least, a small part\r\nof win32k got recently reimplemented in Rust. Since Rust is designed to be a memory-safe language, this should\r\nsignificantly reduce the number of memory corruption vulnerabilities in the reimplemented code. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 20 of 44\n\nIn our Q1/2023 threat report, we wrote about the Nokoyawa and Magniber ransomware groups using zero-day\r\nexploits to deploy ransomware. Q2/2023 continued this concerning trend, with the most notable event being the\r\nCl0p ransomware group exploiting CVE-2023-34362, a remote code execution vulnerability in the MOVEit\r\nTransfer web application. This data theft-only attack hit an astounding number of organizations worldwide, with\r\nmany of them getting their stolen data published on the Cl0p leak site. \r\nIn June, Kaspersky reported it was impacted by an APT attacker exploiting iOS devices, dubbing the attack\r\nOperation Triangulation. The exploits were delivered through an iMessage attachment in a zero-click manner.\r\nKaspersky managed to recover three vulnerabilities: CVE-2023-32434, CVE-2023-32435, and CVE-2023-38606.\r\nThe former two got patched by Apple in June and the third one was patched on July 24. As Eugene Kaspersky\r\ndiscussed in a blog, discovering such attacks is currently extremely hard due to the lack of visibility resulting from\r\nthe closed nature of iOS. \r\nOn top of these three CVEs in early July, Apple released a rapid security fix for a remote code execution\r\nvulnerability CVE-2023-37450 in WebKit, the browser engine powering the Safari browser. The vulnerability was\r\nreported by an anonymous researcher and might have been actively exploited. Apple later mentioned that the fix\r\nmight affect the display of certain pages. Redhat’s support portal suggests that the vulnerability is related to\r\nprocessing of WebAssembly code. It is important to note that other apps using WebKit might be also affected by\r\nthis vulnerability. \r\nJust after the end of Q2/2023, US CISA and the FBI published a joint advisory regarding a serious espionage\r\nattack by Chinese APT group Storm-0558 which was able to access tens of Outlook enterprise accounts. The\r\nattackers were able to obtain inactive MSA consumer signing key which they used to forge Azure AD access\r\ntokens. While the MSA key had been expired since 2021, the system still accepted the tokens signed by it.\r\nResearchers from Wiz later speculated, that the key also was trusted to sign OpenID tokens which are used for\r\nother Microsoft services such as Teams, SharePoint and OneDrive. Microsoft revoked the compromised key\r\nwhich mitigated the issue. \r\nThere was a lot of activity surrounding vulnerabilities and exploits in Q2/2023 and at the beginning of Q3/2023.\r\nWhile some would say that there were many more reported vulnerabilities or with higher impact, it seems to be\r\nonly a professional bias as we were not able to gather hard data that would show a general surge.  \r\nJan Vojtěšek, Malware Reseracher\r\nMichal Salát, Threat Intelligence Director\r\nWeb Threats \r\nScams \r\nA scam is a type of threat that aims to trick users into giving an attacker their personal information or money. We\r\ntrack various types of scams which are listed below. \r\nThe Q1/2023 Threat Report shared that scams were the most prevalent threat type with a significant overall risk\r\nratio of 7.7% and a 33% share among the other malware types.  In Q2/2023, the situation has further escalated,\r\nand the risk ration has more than doubled as demonstrated in the following chart. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 21 of 44\n\nOur telemetry saw a massive surge in scam attacks which began in April and lasted the duration of the quarter.\r\nAttackers have focused mostly on malvertising and malicious browser push notifications as a delivery mechanism\r\nfor these scams – those are described below. As a result – scam attacks now form more than a half of all the\r\nblocked attacks in the Avast userbase. \r\nWhen we focus on targets of these attacks, we can see that scammers are not picky and target users across the\r\nworld: \r\nThe countries most at risk of the scam attacks were Kosovo, Serbia, Bulgaria, and Slovakia. Furthermore, we’ve\r\nmonitored one of the largest increases in scam risks in Vietnam (more than threefold), Argentina (+117%), Spain\r\n(+112%), France (+97%), Brazil (+95%), Mexico (+87%), Czech Republic (+81%), and in UK (+78%). \r\nThe second most prevalent subtype after malvertising was dating scams (AKA romance scam), which also\r\nincreased significantly quarter over quarter.  \r\nTechnical support scams followed in terms of overall prevalence but actually decreased slightly in Q2/2023\r\ncompared to the previous quarter.  \r\nFinally, though not as prevalent as the other scam types, the extortion email scams had the most dramatic boost in\r\nQ2/2023 with a severalfold increase. We warned consumers of these emails in April 2023 and expect to see more\r\nof these types of threats in the future. \r\nMalicious Browser Push Notifications \r\nThese types of notifications are a common browser feature that allow websites to send users push notifications.\r\nThey can be pretty handy so, of course, scammers have found a way to exploit them. Attackers trick users into\r\nenabling these notifications so they can then be exploited. \r\nA trendy tactic of scam and adware authors is exploiting “push notifications” on web browsers. The user is forced\r\nto enable notifications in order to continue to the desired page – sometimes, a simple miss-click. The result is that\r\nthe user is then redirected to various scam sites or bombarded with notifications for various offers and services\r\nthat lure the user into clicking, for example popups that say the user’s computer is infected, enticing dating sites or\r\nincredible “deals” on products.  \r\nAs previously mentioned, malicious push notifications were very prevalent in Q2/2023. The risk ratio was\r\nextremely high in African countries, such as Congo (18% risk ratio), as well as Japan (12%), Slovakia (11%),\r\nSpain (10%), and India (9%). \r\nBased on our detection telemetry, this particular wave of attacks started in the middle of April and lasted through\r\nthe entire quarter. \r\nDating Scams \r\nDating scams, also known as romance scams or online dating scams, involve fraudsters deceiving individuals into\r\nfake romantic relationships. Scammers adopt fake online identities to gain the victim’s trust, with the ultimate goal\r\nof obtaining money or enough personal information to commit identity theft. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 22 of 44\n\nThere was a concerning and substantial rise in dating scams in Q2/2023 compared to the previous quarter. The\r\nsurge is evident with a 39% increase, posing a significant threat to individuals seeking romantic connections\r\nonline. \r\nIn Q2/2023, we observed yet another variation of this scam, as attackers employed various methods of initial\r\ninfection including deceptive emails, push notifications, and misleading advertisements. Once targeted, victims\r\nwere redirected to seemingly legitimate dating sites populated with fake bot profiles. When individuals attempted\r\nto engage in conversation with these profiles, they were coerced into paying for a subscription, falling prey to the\r\nscam. \r\nTech Support Scams \r\nTech support scam threats involve fraudsters posing as legitimate technical support representatives who attempt to\r\ngain remote access to victims’ devices or obtain sensitive personal information, such as credit card or banking\r\ndetails. These scams rely on confidence tricks to gain victims’ trust and often involve convincing them to pay for\r\nunnecessary services or purchase expensive gift cards. It’s important for internet users to be vigilant and to verify\r\nthe credentials of anyone claiming to offer technical support services. \r\nLuckily, one scam type was not on a rise in Q2/2023 – the technical support scam (TSS). The graph below\r\ndemonstrates a notable decrease in TSS activity during this period compared to Q1/2023. This decline began at the\r\nend of April. \r\nAnalyzing the data for Q2/2023, Japan emerges as the most active country with a TSS risk ratio of 3.63%, closely\r\nfollowed by Germany at 3.23%. The next top-performing countries are Canada with 2.60% and the USA with\r\n2.51%, while Switzerland secures its place in the top five with a risk ratio of 2.18%. \r\nRefund and Invoice Scams \r\nInvoice scams involve fraudsters sending false bills or invoices for goods or services that were never ordered or\r\nreceived. Scammers rely on invoices looking legitimate, often using company logos or other branding to trick\r\nunsuspecting victims into making payments. These scams can be especially effective when targeted at businesses,\r\nas employees may assume that a colleague made the purchase or simply overlook the details of the invoice. It’s\r\nimportant to carefully review all invoices and bills before making any payments and to verify the legitimacy of the\r\nsender if there are any suspicions of fraud. \r\nIn the digital world we live in, scam emails trying to trick us with fake invoices are becoming more common than\r\never. The people behind these scams are cunning – they play on our fears of forgetting to pay a bill, they use time\r\npressure and talk about expired deadlines to make us panic, and they even tempt us with discounts to make the\r\ndeal seem better. So, what’s the best way to avoid falling into this trap? Keep the lines of communication open\r\nwith your accounting department.\r\nThroughout Q2/2023, we observed a growing trend in the risk ratio of this threat type, with a notable peak in\r\nMay.  \r\nLooking at the map, we see that refund and invoice scams are mainly prevalent in the US and Australia, indicating\r\na high level of activity in these regions. In contrast, Europe shows less activity. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 23 of 44\n\nPhishing \r\nPhishing is a type of online scam where fraudsters attempt to obtain sensitive information including passwords or\r\ncredit card details by posing as a trustworthy entity in an electronic communication, such as an email, text\r\nmessage, or instant message. The fraudulent message usually contains a link to a fake website that looks like the\r\nreal one, where the victim is asked to enter their sensitive information. \r\nIn Q2/2023, we observed a more stable, growing, trend in phishing compared to the previous quarter, with no\r\ndrastic fluctuations. However, it is evident that activity has started to pick up again after experiencing a minor dip\r\nin April; this indicates the potential for an upward trajectory in the coming months. \r\nCybercriminals continuously refine their tactics and find new ways to exploit users. Vigilance and awareness are\r\ncrucial to staying protected in the ever-evolving threat landscape. The increase in phishing incidents and the\r\nprevalence of smishing attacks serve as a reminder for consumers to be cautious of and skeptical about unsolicited\r\nmessages and requests for personal information. \r\nAdditionally, it’s noting that Google’s recent introduction of the “.zip” top-level domain (TLD) has led to an\r\nincrease in domain registrations which can exploit strong similarities to a very popular archive file type. This\r\ndevelopment presents new challenges for organizations and cybersecurity professionals, emphasizing the need for\r\ncontinued vigilance and proactive cybersecurity measures. \r\nIn conclusion, while the current quarter shows relative stability, the ever-present threat of cyber-attacks\r\nnecessitates ongoing diligence and preparedness in safeguarding our digital presence.\r\nThe market share also includes approximately 25% of rootkits of unspecified strains which are used as kernel\r\nproxies for various activities with higher system privileges such as killing processes, modifying network\r\ncommunication, etc. \r\nBelow you can see the complete list of clearly identified Windows rootkit strains, along with their corresponding\r\nmarket shares: \r\nCerbu (7%) \r\nAlureon (7%) \r\nPerkesh (6%) \r\nZeroAccess (3%) \r\nThe market share for clearly identified rootkit strains is the same as the previous Q1/2023 quarter. \r\nIn terms of Linux operating systems, we continue efficiently discovering and tracking new Linux Kernel rootkits,\r\nfor instance, we were first detecting Chicken or NetHid. We saw an increase in rootkits using magic packets, for\r\ninstance NetHid handles a UDP magic packet for executing a malicious user-mode application. \r\nAs you already know from the Syslogk rootkit, we are tracking threat actors in the development stage allowing us\r\nto early detect advanced threats but also PoCs and tools that they use during development (e.g. kernel modules for\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 24 of 44\n\ntesting). \r\nMartin Chlumecký, Malware Researcher\r\nDavid Álvarez, Malware Analyst\r\nVulnerabilities and Exploits \r\nExploits take advantage of flaws in legitimate software to perform actions that should not be allowed. They are\r\ntypically categorized into remote code execution (RCE) exploits, which allow attackers to infect another machine,\r\nand local privilege escalation (LPE) exploits, which allow attackers to take more control of a partially infected\r\nmachine. \r\nThe May Patch Tuesday security update contained a patch for CVE-2023-29336, a local privilege escalation\r\nvulnerability discovered by Avast researchers in the wild. This is a kernel exploit that targets a vulnerability in\r\nwin32k, a subsystem providing graphics functionality in the Windows kernel. We shared a proof-of-concept\r\nexploit with Microsoft along with our vulnerability report, but we did not make any technical details about this\r\nvulnerability public. However, fellow researchers from Numen Cyber analyzed the patch and published a great\r\nwrite-up and a proof-of-concept exploit. \r\nWhile the win32k subsystem has always been a frequent target of exploits, there are some encouraging signs that\r\nindicate this subsystem might be getting more secure. First of all, Microsoft developed a number of win32k-specific exploit mitigations and security improvements over the years. Many of these aimed to eliminate kernel\r\naddress leaks and break known exploitation primitives. A less-known security improvement is that Microsoft\r\nturned many raw pointers into smart pointers. This effectively made the CVE-2023-29336 use-after-free condition\r\nnot exploitable on Windows 11, as well as on the latest builds of Windows 10. Furthermore, browsers such as\r\nChromium adopted a mitigation sometimes known as “win32k lockdown“, which reduces the browser sandbox\r\nattack surface and makes win32k exploits impossible for sandbox escape exploits. Last but not least, a small part\r\nof win32k got recently reimplemented in Rust. Since Rust is designed to be a memory-safe language, this should\r\nsignificantly reduce the number of memory corruption vulnerabilities in the reimplemented code. \r\nIn our Q1/2023 threat report, we wrote about the Nokoyawa and Magniber ransomware groups using zero-day\r\nexploits to deploy ransomware. Q2/2023 continued this concerning trend, with the most notable event being the\r\nCl0p ransomware group exploiting CVE-2023-34362, a remote code execution vulnerability in the MOVEit\r\nTransfer web application. This data theft-only attack hit an astounding number of organizations worldwide, with\r\nmany of them getting their stolen data published on the Cl0p leak site. \r\nIn June, Kaspersky reported it was impacted by an APT attacker exploiting iOS devices, dubbing the attack\r\nOperation Triangulation. The exploits were delivered through an iMessage attachment in a zero-click manner.\r\nKaspersky managed to recover three vulnerabilities: CVE-2023-32434, CVE-2023-32435, and CVE-2023-38606.\r\nThe former two got patched by Apple in June and the third one was patched on July 24. As Eugene Kaspersky\r\ndiscussed in a blog, discovering such attacks is currently extremely hard due to the lack of visibility resulting from\r\nthe closed nature of iOS. \r\nOn top of these three CVEs in early July, Apple released a rapid security fix for a remote code execution\r\nvulnerability CVE-2023-37450 in WebKit, the browser engine powering the Safari browser. The vulnerability was\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 25 of 44\n\nreported by an anonymous researcher and might have been actively exploited. Apple later mentioned that the fix\r\nmight affect the display of certain pages. Redhat’s support portal suggests that the vulnerability is related to\r\nprocessing of WebAssembly code. It is important to note that other apps using WebKit might be also affected by\r\nthis vulnerability. \r\nJust after the end of Q2/2023, US CISA and the FBI published a joint advisory regarding a serious espionage\r\nattack by Chinese APT group Storm-0558 which was able to access tens of Outlook enterprise accounts. The\r\nattackers were able to obtain inactive MSA consumer signing key which they used to forge Azure AD access\r\ntokens. While the MSA key had been expired since 2021, the system still accepted the tokens signed by it.\r\nResearchers from Wiz later speculated, that the key also was trusted to sign OpenID tokens which are used for\r\nother Microsoft services such as Teams, SharePoint and OneDrive. Microsoft revoked the compromised key\r\nwhich mitigated the issue. \r\nThere was a lot of activity surrounding vulnerabilities and exploits in Q2/2023 and at the beginning of Q3/2023.\r\nWhile some would say that there were many more reported vulnerabilities or with higher impact, it seems to be\r\nonly a professional bias as we were not able to gather hard data that would show a general surge.  \r\nJan Vojtěšek, Malware Reseracher\r\nMichal Salát, Threat Intelligence Director\r\nWeb Threats \r\nScams \r\nA scam is a type of threat that aims to trick users into giving an attacker their personal information or money. We\r\ntrack various types of scams which are listed below. \r\nThe Q1/2023 Threat Report shared that scams were the most prevalent threat type with a significant overall risk\r\nratio of 7.7% and a 33% share among the other malware types.  In Q2/2023, the situation has further escalated,\r\nand the risk ration has more than doubled as demonstrated in the following chart. \r\nScam risk ratio over the last three quarters\r\nOur telemetry saw a massive surge in scam attacks which began in April and lasted the duration of the quarter.\r\nAttackers have focused mostly on malvertising and malicious browser push notifications as a delivery mechanism\r\nfor these scams – those are described below. As a result – scam attacks now form more than a half of all the\r\nblocked attacks in the Avast userbase. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 26 of 44\n\nWhen we focus on targets of these attacks, we can see that scammers are not picky and target users across the\r\nworld: \r\nGlobal risk ratio for scam in Q2/2023\r\nThe countries most at risk of the scam attacks were Kosovo, Serbia, Bulgaria, and Slovakia. Furthermore, we’ve\r\nmonitored one of the largest increases in scam risks in Vietnam (more than threefold), Argentina (+117%), Spain\r\n(+112%), France (+97%), Brazil (+95%), Mexico (+87%), Czech Republic (+81%), and in UK (+78%). \r\nThe second most prevalent subtype after malvertising was dating scams (AKA romance scam), which also\r\nincreased significantly quarter over quarter.  \r\nTechnical support scams followed in terms of overall prevalence but actually decreased slightly in Q2/2023\r\ncompared to the previous quarter.  \r\nFinally, though not as prevalent as the other scam types, the extortion email scams had the most dramatic boost in\r\nQ2/2023 with a severalfold increase. We warned consumers of these emails in April 2023 and expect to see more\r\nof these types of threats in the future. \r\nMalicious Browser Push Notifications \r\nThese types of notifications are a common browser feature that allow websites to send users push notifications.\r\nThey can be pretty handy so, of course, scammers have found a way to exploit them. Attackers trick users into\r\nenabling these notifications so they can then be exploited. \r\nA trendy tactic of scam and adware authors is exploiting “push notifications” on web browsers. The user is forced\r\nto enable notifications in order to continue to the desired page – sometimes, a simple miss-click. The result is that\r\nthe user is then redirected to various scam sites or bombarded with notifications for various offers and services\r\nthat lure the user into clicking, for example popups that say the user’s computer is infected, enticing dating sites or\r\nincredible “deals” on products.  \r\nAs previously mentioned, malicious push notifications were very prevalent in Q2/2023. The risk ratio was\r\nextremely high in African countries, such as Congo (18% risk ratio), as well as Japan (12%), Slovakia (11%),\r\nSpain (10%), and India (9%). \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 27 of 44\n\nRisk ratio for malicious browser push notifications in Q2/2023\r\nBased on our detection telemetry, this particular wave of attacks started in the middle of April and lasted through\r\nthe entire quarter. \r\nRisk ratio for malicious browser push notifications in Q2/2023\r\nDating Scams \r\nDating scams, also known as romance scams or online dating scams, involve fraudsters deceiving individuals into\r\nfake romantic relationships. Scammers adopt fake online identities to gain the victim’s trust, with the ultimate goal\r\nof obtaining money or enough personal information to commit identity theft. \r\nThere was a concerning and substantial rise in dating scams in Q2/2023 compared to the previous quarter. The\r\nsurge is evident with a 39% increase, posing a significant threat to individuals seeking romantic connections\r\nonline. \r\nIn Q2/2023, we observed yet another variation of this scam, as attackers employed various methods of initial\r\ninfection including deceptive emails, push notifications, and misleading advertisements. Once targeted, victims\r\nwere redirected to seemingly legitimate dating sites populated with fake bot profiles. When individuals attempted\r\nto engage in conversation with these profiles, they were coerced into paying for a subscription, falling prey to the\r\nscam. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 28 of 44\n\nExample of a dating scam lure site blocked in Q2/2023\r\nExample of a dating scam blocked in Q2/2023\r\nExample of a dating scam blocked in Q2/2023\r\nTech Support Scams \r\nTech support scam threats involve fraudsters posing as legitimate technical support representatives who attempt to\r\ngain remote access to victims’ devices or obtain sensitive personal information, such as credit card or banking\r\ndetails. These scams rely on confidence tricks to gain victims’ trust and often involve convincing them to pay for\r\nunnecessary services or purchase expensive gift cards. It’s important for internet users to be vigilant and to verify\r\nthe credentials of anyone claiming to offer technical support services. \r\nLuckily, one scam type was not on a rise in Q2/2023 – the technical support scam (TSS). The graph below\r\ndemonstrates a notable decrease in TSS activity during this period compared to Q1/2023. This decline began at the\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 29 of 44\n\nend of April. \r\nTechnical support scams in Q1/2023-Q2/2023\r\nAnalyzing the data for Q2/2023, Japan emerges as the most active country with a TSS risk ratio of 3.63%, closely\r\nfollowed by Germany at 3.23%. The next top-performing countries are Canada with 2.60% and the USA with\r\n2.51%, while Switzerland secures its place in the top five with a risk ratio of 2.18%. \r\nRefund and Invoice Scams \r\nInvoice scams involve fraudsters sending false bills or invoices for goods or services that were never ordered or\r\nreceived. Scammers rely on invoices looking legitimate, often using company logos or other branding to trick\r\nunsuspecting victims into making payments. These scams can be especially effective when targeted at businesses,\r\nas employees may assume that a colleague made the purchase or simply overlook the details of the invoice. It’s\r\nimportant to carefully review all invoices and bills before making any payments and to verify the legitimacy of the\r\nsender if there are any suspicions of fraud. \r\nIn the digital world we live in, scam emails trying to trick us with fake invoices are becoming more common than\r\never. The people behind these scams are cunning – they play on our fears of forgetting to pay a bill, they use time\r\npressure and talk about expired deadlines to make us panic, and they even tempt us with discounts to make the\r\ndeal seem better. So, what’s the best way to avoid falling into this trap? Keep the lines of communication open\r\nwith your accounting department.\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 30 of 44\n\nExample of an invoice scam – May 2023\r\nThroughout Q2/2023, we observed a growing trend in the risk ratio of this threat type, with a notable peak in\r\nMay.  \r\nInvoice Scams in Q2/2023\r\nLooking at the map, we see that refund and invoice scams are mainly prevalent in the US and Australia, indicating\r\na high level of activity in these regions. In contrast, Europe shows less activity. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 31 of 44\n\nGlobal risk ratio for invoice scams in Q2/2023\r\nPhishing \r\nPhishing is a type of online scam where fraudsters attempt to obtain sensitive information including passwords or\r\ncredit card details by posing as a trustworthy entity in an electronic communication, such as an email, text\r\nmessage, or instant message. The fraudulent message usually contains a link to a fake website that looks like the\r\nreal one, where the victim is asked to enter their sensitive information. \r\nIn Q2/2023, we observed a more stable, growing, trend in phishing compared to the previous quarter, with no\r\ndrastic fluctuations. However, it is evident that activity has started to pick up again after experiencing a minor dip\r\nin April; this indicates the potential for an upward trajectory in the coming months. \r\nPhishing spreading in 2023\r\nCybercriminals continuously refine their tactics and find new ways to exploit users. Vigilance and awareness are\r\ncrucial to staying protected in the ever-evolving threat landscape. The increase in phishing incidents and the\r\nprevalence of smishing attacks serve as a reminder for consumers to be cautious of and skeptical about unsolicited\r\nmessages and requests for personal information. \r\nAdditionally, it’s noting that Google’s recent introduction of the “.zip” top-level domain (TLD) has led to an\r\nincrease in domain registrations which can exploit strong similarities to a very popular archive file type. This\r\ndevelopment presents new challenges for organizations and cybersecurity professionals, emphasizing the need for\r\ncontinued vigilance and proactive cybersecurity measures. \r\nIn conclusion, while the current quarter shows relative stability, the ever-present threat of cyber-attacks\r\nnecessitates ongoing diligence and preparedness in safeguarding our digital presence.\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 32 of 44\n\nOne of the phishing campaigns blocked by Avast in Q2/2023\r\nWeb-based Adware \r\nWeb-based adware refers to malicious software or web pages that display unwanted advertisements in the form of\r\npop-ups, banners, or redirects to third-party websites. Web-based adware can slow web browsing, potentially\r\ncompromising user privacy and security. \r\nDuring Q2/2023, web-based adware continued to be widespread, featuring several noteworthy examples.\r\nThroughout this period, three primary adware types emerged as dominant – we will introduce each within this\r\nsection. \r\nFake Win \r\nOne of the most popular ad types are “winning pages” with various winning prices. Adware authors often misuse\r\nthe names of well-known brands to lure their victims. The modus operandi is always similar: the user spins the\r\nvirtual roulette or clicks on some wheel of fortune. The first attempt is always unsuccessful, and the next attempt\r\ninforms users about the win. However, the condition for the payment of the prize is registration and entering\r\npersonal data, often including credit card data. The appearance of credibility is added by a chat on the same page,\r\nwhich declares that the processing of the information worked as expected. \r\nAdult Content \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 33 of 44\n\nOne of the most significant forms of adware revolves around enticing users with adult content. Particularly\r\nprevalent within this category are adult chat rooms, which try to compel users to access an app or website where\r\nthey can register and “enjoy flirting”. Victims ultimately end up on a website where most profiles are fake or even\r\ndangerous since attackers can use social engineering to extort money from users under the pretext of sending\r\nphotos, paying travel expenses, etc. \r\nAs shown in the animation below, even if the user indicates they are below the required legal age, they are still\r\nredirected to a site with adult content, which is always suspicious. \r\nMovies for “free” \r\nWeb-based adware also hides under the promise of watching popular movies for free. The animation below shows\r\nthat a hunting page plays a few seconds of intro and then asks for a click and registration, which usually leads to a\r\npage with some adware.\r\nAlexej Savčin, Malware Analyst\r\nMartin Chlumecký, Malware Researcher\r\nBranislav Kramár, Malware Analyst\r\nMatěj Krčma, Malware Analyst\r\nBohumír Fajt, Malware Analysis Team Lead\r\nJakub Křoustek, Malware Research Director\r\nThis quarter, we have witnessed several interesting developments in the mobile threat ecosystem. Notably, a\r\nspyware kit has surfaced on GitHub, adding to a series of spyware kits that have become publicly accessible in\r\nrecent months.  Furthermore, there are indications of another spyware being utilized for state surveillance,\r\nboasting extensive access to victims’ personal information. \r\nIn an interesting incident, a seemingly benign screen recorder in the Play Store turned malicious after an update\r\ndelivered a spyware RAT. This technique of delayed malware delivery through updates was also used to drop\r\nbanker malware under the guise of an AI text reader update.  \r\nFinally, we observed a worrying trend of mobile loan applications with intrusive permissions using personal\r\ninformation to blackmail victims. \r\nAdware at the top again \r\nAdware threats on mobile phones refer to applications that display intrusive out-of-context adverts to users with\r\nthe intent of gathering fraudulent advertising revenue. This malicious functionality is often delayed until sometime\r\nafter installation and coupled with stealthy features such as hiding the adware app icon to prevent removal.\r\nAdware mimics popular apps such as games, camera filters, and wallpaper apps, to name a few. \r\nMobile users had to contend with adware as the most prevalent threat in Q2/2023. Adware serves intrusive\r\nadvertisements to the devices of its victims, raking in fraudulent advertising revenue. Hiding its presence is a core\r\ncomponent in maintaining its ability to generate this revenue, hence adware generally hides its icon or otherwise\r\nmasquerades itself. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 34 of 44\n\nHiddenAds were the main strain of adware targeting users this quarter, closely followed by MobiDash and\r\nFakeAdBlockers. MobiDash continued its climb in popularity from last quarter with a 19% increase in targeted\r\nusers, surpassing FakeAdBlockers which are down by 66%. All three strains have a similar modus operandi:\r\ndisplaying out-of-context full screen adverts to their victims while hiding their presence on the device. These are\r\ngenerally delivered through third-party app stores, pop-up messages on less reputable sites and malicious\r\nadvertisements. Once installed, it may prove difficult to uninstall the apps due to their stealthy features. \r\nA repacked HiddenAds Minecraft clone app as seen on Play Store prior to its removal\r\nOf note is another HiddenAds campaign discovered on the Play Store that garnered tens of millions of downloads\r\nduring its reign. This strain focused on abusing advertising SDKs to fake displaying adverts to users to gather\r\nrevenue. Victims were able to play the Minecraft clone game while these malicious actions were going on in the\r\nbackground, without their knowledge.  \r\nThreat actors continue to find new ways to sneak HiddenAds onto the Play Store, either through further\r\nobfuscation of malicious features or introducing said features in later updates.\r\nGlobal risk ratio of mobile adware in Q1/2023-Q2/2023\r\nWe see a decrease in adware targeted users compared to last quarter, which can likely be attributed to the sharp fall\r\nin FakeAdBlocker hits. This is balanced by the new HiddenAds campaign that snuck onto the Play Store this\r\nquarter.\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 35 of 44\n\nGlobal risk ratio for mobile adware in Q2/2023\r\nBrazil, India and Argentina keep their top spots this quarter with the most affected users. This remains unchanged\r\ndespite the decrease in overall users affected by adware and Brazil having 26% less affected users in Q2/2023.\r\nIndia, Indonesia and Pakistan have the highest risk ratio, meaning users are most likely to encounter adware in\r\nthese countries. \r\nNew Banker strains added to the fray \r\nBankers are a sophisticated type of mobile malware that targets banking details, cryptocurrency wallets, and\r\ninstant payments with the intent of extracting money. Generally distributed through phishing messages or fake\r\nwebsites, Bankers can take over a victim’s device by abusing the accessibility service. Once installed and enabled,\r\nthey often monitor 2FA SMS messages and may display fake bank overlays to steal login information. \r\nThis quarter brings with it continuations of established banker strains as well as some new strains that make use of\r\nestablished techniques with a few twists. A continuing trend, the overall prevalence of bankers is on the decline as\r\nobserved over the last few quarters, even with new strains popping up every quarter. Cerberus/Alien maintains its\r\ntop spot in our telemetry despite losing a significant 50% of its prevalence. Coper has moved up to 2nd place\r\nsurpassing Hydra, another banker strain that lost over 50% of its victim base. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 36 of 44\n\nFake PDF editor app requesting file access permission, preparing the stage for the Anatsa banker delivery\r\nOf note is a new dropper campaign on the Play Store which delivered the Anatsa banker. The US, UK, Germany\r\nand other European countries were the main targets of fake PDF reader applications that were used as droppers\r\nover the course of a few months. Initially benign, these apps were later updated to activate malicious components\r\nthat delivered the banker in the form of an AI text reader ‘update’. With the ability to target and exfiltrate login\r\ninformation from over 600 financial institution apps, Anatsa also features full device takeover that allows it to\r\nperform transactions on behalf of the victim.  \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 37 of 44\n\nChameleon banker masquerading as the Crypto.com app requesting Accessibility permissions to initiate its\r\nmalicious activity\r\nAnother recent addition to the banker ecosphere is the Chameleon banker. Distributed through compromised\r\nwebsites and Discord servers, it appears to mainly target Poland and Australia. Disguised as ChatGPT, Bitcoin and\r\nChrome among others, it uses keylogging and phishing HTML injection to steal credentials from its victims.\r\nInterestingly, it also features the ability to exfiltrate cookies when a victim attempts to access the popular Coinbase\r\ncrypto exchange website, likely attempting to hijack the session to perform transactions on the victim’s behalf.\r\nFinally, the banker can detect uninstallation efforts by the victim and deletes itself if it anticipates the user getting\r\nsuspicious about the banker app. \r\nGlobal risk ratio of mobile bankers in Q3/2022-Q2/2023\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 38 of 44\n\nWe continue to observe a steady decline in the banker risk ratio in our telemetry for the last few quarters. This is\r\ndespite new strains appearing in the banker ecosphere. It is likely that threat actors behind bankers are more\r\nfocused on specific countries with more elaborate methods of banker delivery as well as tailored fake bank login\r\npages. \r\nGlobal risk ratio for mobile bankers in Q2/2023\r\nTurkey holds its top place from last quarter with the most protected users and highest risk ratio while Spain,\r\nFrance, Brazil and Italy follow closely behind. We do observe a focus on EU countries and Australia through the\r\nnewly discovered strains in the past few quarters. \r\nSpyware evolution \u0026 SpyLoans \r\nSpyware is used to spy on unsuspecting victims with the intent of extracting personal information such as\r\nmessages, photos, location, or login details. It uses fake adverts, phishing messages, and modifications of popular\r\napplications to spread and harvest user information. State backed commercial spyware is becoming more\r\nprevalent and is used to target individuals with 0-day exploits. \r\nThis quarter has witnessed a notable surge in the prevalence of spyware, with Spymax once again taking the lead.\r\nThe landscape is further enriched by several new additions, including BouldSpy, which potentially has affiliations\r\nwith state surveillance, an SDK titled SpinOK that features potential spyware functionalities, and DogeRAT, a\r\nspyware kit made accessible on GitHub.  \r\nAlongside these new entries we observe an increased prevalence in SpyLoans, loan applications that extract\r\npersonal information with intent to blackmail victims for money. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 39 of 44\n\nDogeRAT’s promised features listed on its GitHub page\r\nSpymax remains the top spyware despite a slight decrease in its risk ratio this quarter. It continues to be used to\r\nextract personal information such as SMS messages, contact lists, location and more. DogeRAT, a spyware kit\r\navailable on GitHub, appears to have taken inspiration from Spymax as we note similarities in its code and\r\nfunctionality.  A novel addition is the employment of a Telegram panel for spyware control and execution of\r\nvarious functions, notably encompassing microphone and camera capture. Dissemination occurs through SMS\r\nmessages guiding users to download the application.\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 40 of 44\n\nA benign request that can be mis-used by AhRAT with a later malicious update\r\nSpyware managed to sneak onto the Play Store this quarter when a screen recorder app turned malicious with a\r\ndelayed update bringing AhRAT spyware with it. A tactic observed several times in recent years, users who\r\ninstalled the previously clean version of the app would automatically update to the malicious version without their\r\nknowledge. AhRAT’s C2 communication indicates it should be able to perform a variety of spying functions such\r\nas SMS extraction, location tracking, screen recording and others. However, it appears that it was only capable of\r\nextracting files from the device and recording with the device microphone. We speculate that future versions may\r\nhave introduced further features, but the app was detected and removed from the Play Store before that could\r\nhappen. \r\n \r\nAnother Play Store campaign of note is the SpinOK spyware capable SDK that was present in highly prevalent\r\napplications. This spyware can gather file lists, telemetry from device data sensors and in some cases copy the\r\nclipboard contents and exfiltrate these to a remote server. Some applications were removed from the Play Store\r\nwhile others were allowed to stay after they removed the spyware SDK. \r\n \r\nAn interesting strain called BouldSpy was discovered by Lookout, with possible links to Iranian state police.\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 41 of 44\n\nLabelled as a possible botnet, it also contains CryCrypt ransomware capability, although it appears this remains\r\nunused, potentially saved for future use. Often masking as the official Android phone app, it can record voice calls\r\nfrom popular messenger applications such as WhatsApp, Viber and others. It uses the Accessibility service to hide\r\nits presence and masquerade as an official app, even mimicking its look and functionality. Meanwhile, it extracts\r\nSMS messages, browser history, photos and more in the background. \r\nInvasive information collection under the guise of enabling loan processing as often stated in ToS of spy loan\r\napplications\r\nA worrying trend that has been ongoing for several quarters now is the prevalence of loan applications that\r\npromise fast cash distributed through the Play Store. Previously reported on by Zimperium, these loan applications\r\nrequest invasive permissions under the guise of a credit check or loan security. Once the user allows these\r\npermissions, the spy loan apps extract sensitive information such as messages, contact lists, photos or browsing\r\nhistory. These are then used to blackmail victims, oftentimes even if they pay the agreed loan repayments.\r\nUnfortunately, this trend is gaining popularity with blackmail loan apps appearing to focus on regions with limited\r\nbank loan access such as South America or Asia. Users are advised to avoid mobile loan applications that are not\r\nfrom a trusted financial institution.\r\nGlobal risk ratio of mobile spyware in Q1/2023 and Q2/2023\r\nWe see a slight uptick in the risk ratio of spyware this quarter, likely attributable to the high number of new strains\r\nentering the market. Freely available strains on GitHub such as DogeRAT can also contribute to the increased\r\nspread of spyware. \r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 42 of 44\n\nGlobal risk ratio for mobile spyware in Q2/2023\r\nBrazil has the highest number of protected users, followed by India, Turkey and the US. Users in Yemen continue\r\nto be at higher risk of encountering mobile malware when compared to the rest of the world.\r\nJakub Vávra, Malware Analyst\r\nAcknowledgements / Credits \r\nMalware researchers\r\nAdolf Středa\r\nAlexej Savčin\r\nBohumír Fajt\r\nBranislav Kramár\r\nDavid Álvarez\r\nIgor Morgenstern\r\nJakub Křoustek\r\nJakub Vávra\r\nJan Rubín\r\nJan Vojtěšek\r\nLadislav Zezula\r\nLuigino Camastra\r\nLuis Corrons\r\nMartin Chlumecký\r\nMatěj Krčma\r\nMichal Salát\r\nOndřej Mokoš\r\nData analysts\r\nPavol Plaskoň \r\nFilip Husák \r\nLukáš Zobal\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 43 of 44\n\nCommunications\r\nBrittany Posey\r\nEmma McGowan\r\nMarina Ziegler \r\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nhttps://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/\r\nPage 44 of 44", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/" ], "report_names": [ "avast-q2-2023-threat-report" ], "threat_actors": [ { "id": "d87fb380-03db-447c-a560-33e1b6e70e87", "created_at": "2025-05-29T02:00:03.231385Z", "updated_at": "2026-04-10T02:00:03.881295Z", "deleted_at": null, "main_name": "Luna Moth", "aliases": [ "Silent Ransom", "TG2729" ], "source_name": "MISPGALAXY:Luna Moth", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ad08bd3d-e65c-4cfd-874a-9944380573fd", "created_at": "2023-06-23T02:04:34.517668Z", "updated_at": "2026-04-10T02:00:04.842233Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "ETDA:Operation Triangulation", "tools": [ "TriangleDB" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "113b8930-4626-4fa0-9a3a-bcf3ef86f595", "created_at": "2024-02-06T02:00:04.14393Z", "updated_at": "2026-04-10T02:00:03.578394Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "MISPGALAXY:Operation Triangulation", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86fb4ddd-989e-4613-8db8-ca646c553aae", "created_at": "2023-11-01T02:00:07.404201Z", "updated_at": "2026-04-10T02:00:03.381034Z", "deleted_at": null, "main_name": "Storm-0558", "aliases": [], "source_name": "MISPGALAXY:Storm-0558", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1c762729-56f7-48d5-8fb0-b64a43716319", "created_at": "2023-09-07T02:02:47.944899Z", "updated_at": "2026-04-10T02:00:04.907587Z", "deleted_at": null, "main_name": "Storm-0558", "aliases": [ "Antique Typhoon" ], "source_name": "ETDA:Storm-0558", "tools": [ "CHINACHOPPER", "China Chopper", "SinoChopper" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b05a0147-3a98-44d3-9b42-90d43f626a8b", "created_at": "2023-01-06T13:46:39.467088Z", "updated_at": "2026-04-10T02:00:03.33882Z", "deleted_at": null, "main_name": "NoName057(16)", "aliases": [ "NoName057", "NoName05716", "05716nnm", "Nnm05716" ], "source_name": "MISPGALAXY:NoName057(16)", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434781, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/29c2ca9116bd72bd0db9559d418244104a31ee63.pdf", "text": "https://archive.orkl.eu/29c2ca9116bd72bd0db9559d418244104a31ee63.txt", "img": "https://archive.orkl.eu/29c2ca9116bd72bd0db9559d418244104a31ee63.jpg" } }