Day: February 24, 2025

CYFIRMA researchers discovered that the SpyLend Android malware was downloaded 100,000 times from the official app store Google Play.

CYFIRMA researchers discovered an Android malware, named SpyLend, which was distributed through Google Play as Finance Simplified. The malware targets Indian users with unauthorized loan apps, enabling predatory lending, blackmail, and extortion.

The Finance Simplified app is still available on Google Play at the time of this report’s publication, with downloads doubling to 100,000 in a week. Experts have noted numerous negative reviews, with users reporting blackmail, harassment, and photo manipulation.

The app poses as a financial tool, it lures users with easy loan promises but demands excessive permissions to access contacts, call logs, SMS, photos, and location.

“While marketed as a finance calculator, the app detects the user’s location (India) and displays fake loan applications via WebView instead of providing EMI calculator functionality.” reads the report published by CYFIRMA. “These loan apps are specifically designed to target Indian users.”

The app redirects users to external links for APK downloads, bypassing Google Play security. Once installed, it accesses photos, videos, and contacts, capturing clipboard data to steal sensitive information.

The researchers discovered that the malicious app uses a custom C2 server on Amazon EC2, with an admin panel in English and Chinese, suggesting Chinese-speaking attackers. The malware exploits APIs to access files, contacts, call logs, SMS, and installed apps. Operators behind the threat used stolen data for blackmail and extortion, they were spotted editing victims’ photos into fake nudes to coerce payments.

“The analysis of SpyLend reveals a highly deceptive and dangerous threat targeting Android users. Initially presented as a harmless Finance management application, it downloads a fraud loan app from an external download URL, which once installed, gains extensive permissions to access sensitive data, including files, contacts, call logs, SMS, clipboard content, and even the camera.” concludes the report. “This allows the attackers to extort users by the creation of deepfake photos from the manipulation of files in their photo gallery. The app’s ability to harvest and exploit personal information highlights its severe impact on user privacy and security, demonstrating how malicious actors abuse seemingly legitimate apps to carry out financial fraud and psychological manipulation.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SpyLend Android malware)

Leaked Black Basta chat logs reveal internal conflicts, exposing member details and hacking tools as the gang reportedly falls apart.

An unknown actor, named ExploitWhispers, leaked Matrix chat logs of the Black Basta ransomware gang revealing internal conflicts, and exposing member details and hacking tools as the gang reportedly collapses.

ExploitWhispers first uploaded the chat messages on MEGA, then also uploaded them to Telegram.

The leaked archive includes Black Basta’s internal chat messages from September 18, 2023, to September 28, 2024.

PRODAFT researchers reported that Black Basta has been largely inactive in 2025 due to internal conflicts, ransom scams, and ineffective ransomware. Key members left for other groups, and a major chat log leak on February 11 exposed their operations, allegedly due to attacks on Russian banks.

“BlackBasta’s internal chats just got exposed, proving once again that cybercriminals are their own worst enemies. Keep burning our intelligence sources, we don’t mind.” wrote PRODAFT on X.

“As part of our continuous monitoring, we’ve observed that BLACKBASTA (Vengeful Mantis) has been mostly inactive since the start of the year due to internal conflicts. Some of its operators scammed victims by collecting ransom payments without providing functional decryptors.” added the experts.

Their ransomware is also considered less effective compared to other major groups. Earlier this year, key members left BLACKBASTA to join Cactus (Nurturing Mantis) ransomware or other cybercriminal groups. The internal conflict was driven by “Tramp” (LARVA-18), a known threat actor who operates a spamming network responsible for distributing QBOT. As a key figure within BLACKBASTA, his actions played a major role in the group’s instability.

On February 11, 2025, a major leak exposed BLACKBASTA’s internal Matrix chat logs. The leaker claimed they released the data because the group was targeting Russian banks. This leak closely resembles the previous Conti leaks.”

The leaked Black Basta chat logs reveal insights into the gang’s operations, tactics, and tools. Researchers found they prioritized VPN exploits and maintained a shared victim spreadsheet. One member was identified as a 17-year-old. Messages indicate a blunt, high-pressure work environment.

Researchers from VX-underground analyzed the leaked Black Basta chat logs and reported they reveal insights into their operations, including skepticism towards LockBit, recruitment concerns about Dispossessor ransomware group, and interest in VPN exploits. One member is a 17-year-old. They use social engineering, maintaining a spreadsheet of targets and prioritizing industries like electrical and financial firms. Their workflow includes tricking victims into executing malicious files that connect to a C2 server, enabling ransomware deployment or remote access. A private loader was offered to them for $84,000/month.

The leaked messages from Black Basta convey a direct and harsh tone, with members mocking failures and emphasizing deadlines. Their workflow relies on social engineering to deliver malicious HTA files that connect to their server for payload deployment. Victims typically have 10-12 days to pay the ransom before their stolen data is published.

The researcher Suyesh Prabhugaonkar identified 367 unique Zoom links, domains, and IPs used by Black Basta. The gang exploited weak credentials, unpatched vulnerabilities, and social engineering for initial access. They rotated infrastructure to avoid detection and tested payloads. Key player GG (Trump), likely leader Oleg Nefedov, was involved in delegating tasks, tracking performance, and applying pressure on deadlines, according to Prodaft.

In May 2024, the FBI, CISA, HHS, and MS-ISAC issued a joint Cybersecurity Advisory (CSA) regarding the Black Basta ransomware activity as part of the StopRansomware initiative.

Black Basta has targeted at least 12 critical infrastructure sectors, including Healthcare and Public Health. The alert provides Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) obtained from law enforcement investigations and reports from third-party security firms.

Black Basta ransomware-as-a-service (RaaS) has been active since April 2022, it impacted several businesses and critical infrastructure entities across North America, Europe, and Australia. As of May 2024, Black Basta has impacted over 500 organizations worldwide.

“Black Basta is a ransomware-as-a-service (RaaS) variant, first identified in April 2022. Black Basta affiliates have targeted over 500 private industry and critical infrastructure entities, including healthcare organizations, in North America, Europe, and Australia.” reads the CSA.

In December 2023, Elliptic and Corvus Insurance published a joint research that revealed the group accumulated at least $107 million in Bitcoin ransom payments since early 2022. According to the experts, the ransomware gang has infected over 329 victims, including ABB, Capita, Dish Network, and Rheinmetall. 

The researchers analyzed blockchain transactions, they discovered a clear link between Black Basta and the Conti Group.

In 2022, the Conti gang discontinued its operations, coinciding with the emergence of the Black Basta group in the threat landscape.

The group mainly laundered the illicit funds through the Russian crypto exchange Garantex.

“Black Basta is a Russia-linked ransomware that emerged in early 2022. It has been used to attack more than 329 organizations globally and has grown to become the fourth-most active strain of ransomware by number of victims in 2022-2023.” reads the Elliptic’s report. “Our analysis suggests that Black Basta has received at least $107 million in ransom payments since early 2022, across more than 90 victims. The largest received ransom payment was $9 million, and at least 18 of the ransoms exceeded $1 million. The average ransom payment was $1.2 million.”

Most of the victims are in the manufacturing, engineering and construction, and retail sectors. 61,9% of the victims are in the US, 15.8% in Germany, and 5.9% in Canada.

Some of the victims’ ransom payments were sent by both Conti and Black Basta groups to the gang behind the Qakbot malware.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)