October 15th – This Week’s Top Cybersecurity and Dark Web Stories

New Android spyware imitates apps

A new Android spyware campaign dubbed ClayRat is spreading through Telegram channels and malicious lookalike websites, posing as popular apps including WhatsApp, Google Photos, TikTok, and YouTube.

According to researchers, more than 600 malware samples and 50 distinct droppers have been uncovered in just three months, pointing to a highly active operation primarily targeting Russian users.

The attackers use phishing portals and fake Play Store-style pages with fake commens, inflated download counts, and detailed sideloading instructions to trick victims into installing infected APKs. Some versions act as droppers, disguising the payload as a fake Play Store update screen, while using session-based installation methods to bypass Android 13+ security warnings.

Once installed, ClayRat grants itself default SMS handler permissions, allowing it to intercept and manipulate messages. The spyware can:

• Steal SMS, call logs, and notifications.
• Take front-camera photos.
• Send SMS or make phone calls.
• Harvest device info and installed apps.
• Spread to new victims by mass texting contacts.

Communication with the malware’s command-and-control (C2) servers is AES-GCM encrypted, supporting 12 different commands for data theft and propogation.

Salesforce breach enters new phase as hackers leak data

The high-profile Salesforce hacking case has escalated after the extortion group Scattered Lapsus$ Hunters reportedly began leaking data stolen from at least six victims, just days after the FBI seized the attackers data breach site.

The victims include grocery chain Albertsons, energy company Engie Resources, Fujifilm, Gap, and Vietnam airlines.

According to SC Media, Salesforce refused to negotiate or pay ransom on October 7th in relation to the attacks, which targeted at least 39 of its customers – including major brands such as FedEx and Google. The affected organizations appear to be following suit, as the hackers have begun releasing stolen data publicly.

The leaked data includes customer and internal business information from other impacted companies, raising concerns about downstream risks such as phishing and identity theft.

The attacks were made possible after threat actors stole OAuth tokens from third-party applications such as Drift. OAuth tokens enable applications to access user data without requiring passwords or MFA, making them a valuable target for attackers. Once stolen, the tokens allowed the hackers to bypass security controls and exfiltrate sensitive Salesforce data from customer environments.

Discord data breach exposes ID photos of 70,000 users via third-party attack

Discord, the popular messaging platform with over 200 million users, has disclosed that official ID photos and personal information from around 70,000 users may have been leaked following a cyberattack on a third-party service provider.

Discord confirmed that its own systems were not breached. Instead, attackers targeted a company responsible for verifying users’ ages – a process where users upload official identification to prove they are over a certain age. The platform has not publicly named the affected vendor.

According to Discord, the leaked data may include:

• Official ID photos.
• Personal information.
• Partial credit card details.
• Messages exchanged with Discord’s customer support.

No full credit card numbers, passwords, or user activity outside of support interactions were compromised. Discord has revoked the vendor’s access, contacted all impacted users, and is working with law enforcement to investigate.