Full Report
Hackers have been busy again this week. From fake voice calls and AI-powered malware to huge money-laundering busts and new scams, there’s a lot happening in the cyber world. Criminals are getting creative — using smart tricks to steal data, sound real, and hide in plain sight. But they’re not the only ones moving fast. Governments and security teams are fighting back, shutting down fake
Analysis Summary
# Main Topic
The threat intelligence landscape summary highlights several evolving cyber threats, notably the emergence of **AI-powered malware**, the proliferation of **fake voice calls/scams**, and coordinated efforts by criminals in **money laundering**. Concurrently, governments and security teams are responding by shutting down malicious infrastructure and tightening regulations.
## Key Points
- Criminals are increasingly creative, leveraging smart tricks to steal data, use realistic voice impersonations, and maintain stealth.
- AI is being actively used by threat actors, evidenced by the mention of "AI-powered malware."
- Defense efforts include government actions to shut down fake networks and ban risky projects.
- Large-scale law enforcement action resulted in significant "money-laundering busts."
- Specific threats mentioned include the resurfacing of Mirai-based malware campaigns targeting IoT devices.
- Security vendors noted a strategic shift by threat actors toward targeting IoT environments.
## Threat Actors
- Threat actors behind the **Mirai-based ShadowV2 botnet** were observed leading an IoT infection campaign.
- Threat actors associated with the **RondoDox** botnet were also noted targeting IoT devices using Mirai exploits.
- Unspecified criminal groups engaged in the complex activity requiring "huge money-laundering busts."
## TTPs
- **IoT Exploitation:** ShadowV2 utilized exploits targeting specific device vendors to recruit devices into a zombie army for DDoS attacks.
- Exploited vulnerabilities include: CVE-2009-2765 (DDWRT), CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915 (D-Link), CVE-2023-52163 (DigiEver), CVE-2024-3721 (TBK), and CVE-2024-53375 (TP-Link).
- Post-exploitation: Execution of a **downloader shell script** followed by deployment of ShadowV2 malware.
- **Social Engineering/Impersonation:** Use of **fake voice calls** and utilizing techniques to "sound real."
- **Advanced Malware:** Development and deployment of **AI-powered malware**.
## Affected Systems
- **IoT Devices:** Across industries and continents were targeted by ShadowV2 and RondoDox botnets.
- **Messaging Platforms:** Singapore issued directives against spoofing campaigns targeting **iMessage (Apple)** and **RCS-supported Messages app (Google)**.
- **Cloud Environments:** The ShadowV2 activity was specifically observed during an **Amazon Web Services (AWS) outage**.
## Mitigations
- **Incident Response/Intelligence:** Security teams are actively "shutting down fake networks" and banning risky projects.
- **Regulatory Action (Singapore):** Orders issued to Apple and Google under the Online Criminal Harms Act to implement new anti-spoofing protections starting December 2025.
- Requirements include blocking/filtering messages that mimic Singapore government agencies or use the "gov[.]sg" sender ID on iMessage and RCS.
- **Vulnerability Management:** Patching disclosed vulnerabilities that are actively being exploited by botnets (listed in TTPs section).
- **General Defense:** Security posture tightening in response to evolving threats like AI malware.
## Conclusion
The current threat environment is characterized by rapid technological adoption by criminals (AI, realistic voice synthesis) and a focus on high-volume, interconnected targets like IoT infrastructure. Defense efforts are accelerating through regulatory intervention regarding social engineering scams over messaging platforms and ongoing takedowns of botnet infrastructure. Organizations must prioritize securing IoT assets and remain vigilant against advanced social engineering tactics employing synthesized audio.