ThreatsDay Bulletin: $15B Crypto Bust, Satellite Spying, Billion-Dollar Smishing, Android RATs & More

Steven

ThreatsDay Bulletin: $15B Crypto Bust, Satellite Spying, Billion-Dollar Smishing, Android RATs & More

Summary

This week’s ThreatsDay round-up highlights a string of high-impact cyber incidents and emerging attack techniques: a landmark $15 billion crypto seizure tied to forced-labour scam compounds, the rise of self-spreading WhatsApp banking malware, consumer-grade interception of unencrypted satellite traffic, and multiple mobile- and supply-chain-focused threats. The bulletin covers law-enforcement takedowns, new malware families, infrastructure misuse, and defensive moves by major vendors.

The stories show criminals increasingly treating cybercrime as industrial-scale business: large laundering rings, smishing syndicates profiting over $1 billion, phishing-as-a-service kits that defeat MFA, and toolkits that let attackers weaponise legitimate cloud and remote-management platforms.

Key Points

  • U.S. authorities seized roughly $15bn (about 127,271 BTC) linked to a transnational forced-labour “pig butchering” scam operation run by the Prince Group; sanctions and indictments followed.
  • Kaspersky uncovered Maverick, a banking trojan using a WhatsApp worm (SORVEPOTEL) to spread in Brazil and steal credentials from banks and crypto exchanges.
  • Researchers demonstrated that consumer-grade satellite dishes can intercept unencrypted GEO satellite traffic — exposing calls, SMS, corporate emails and in-flight Wi‑Fi data.
  • Legacy Windows protocols (LLMNR/NBT-NS) still enable credential theft and NTLM relay-style attacks without software exploits; disable or harden them.
  • Unity’s SpeedTree checkout was skimmer-compromised, impacting hundreds of customers and exposing payment and personal data.
  • Chinese smishing syndicates have reportedly netted over $1bn via fake SMS scams that harvest card data and monetise it through digital wallets and resale.
  • Fake Homebrew installer sites are being used to infect macOS users by clipboard manipulation, delivering stealers like Odyssey Stealer.
  • The UK NCSC recorded a 130% rise in “national significant” incidents year-on-year, with reports of long-running compromises of UK classified systems.
  • Framework devices shipped with signed UEFI components susceptible to BombShell exploits that can bypass Secure Boot and persist through reinstalls.
  • A phishing campaign in Colombia used SVG attachments to deliver AsyncRAT via staged HTML Application payloads.
  • Google added protections to Messages and account recovery flows (including Sign in with Mobile Number and Recovery Contacts) to curb scams and improve recovery.
  • PhantomVAI Loader (C#) is being distributed via shipment-themed phishing to drop stealers and RATs using process hollowing and VM checks.
  • Whisper 2FA phishing kit is now a top PhaaS, automating MFA token interception with AJAX-based credential exfiltration loops.
  • RMM and remote-access tools (ScreenConnect, AnyDesk, etc.) are increasingly abused by APTs and ransomware groups for persistence and lateral movement.
  • Brazilian authorities disrupted a laundering network accused of moving roughly $540m and implicated in a larger $9bn movement through shell structures and exchanges.
  • Researchers showed AWS X‑Ray can be repurposed as a covert C2 channel by abusing trace annotations and APIs.
  • Chainalysis reports over $75bn in crypto balances linked to illicit activity, with $15bn directly held by illicit actors.

Author’s take

Punchy and direct: this bulletin reads like a playbook of modern cybercrime — big money, industrial techniques, and clever misuse of legitimate tech. Some stories are headline-level catastrophes; others are quieter but show how everyday tools become attack vectors.

Why should I read this?

Short version: if you use phones, apps, cloud services or payments, this matters. We skimmed the mess so you don’t have to — it’s the week’s top threats in one place, with the bits that actually affect security teams, developers and everyday users. Read it to know what to patch, block or question tomorrow.

Context and relevance

Collectively these incidents underline three trends: cybercrime is heavily monetised and organised; attackers increasingly reuse legitimate infrastructure and dev tools to hide malice; and old protocol weaknesses remain an easy foothold. For security teams this means prioritising threat-hunting for lateral movement, hardening identity and MFA, monitoring for abuse of legitimate services, and ensuring supply-chain and firmware integrity.

Source

Source: https://thehackernews.com/2025/10/threatsday-bulletin-15b-crypto-bust.html