Image by Joshua Koblin, from Unsplash

Malware-Free Attacks Surge As Cybercriminals Use Legitimate Tools To Bypass Security

• Written by Kiara Fabbri Former Tech News Writer
• Fact-Checked by Sarah Frazier Former Content Manager

Cyber threats evolved dramatically, with adversaries moving faster and using more advanced techniques to infiltrate networks, according to CrowdStrike’s latest Global Threat Report .

In a Rush? Here are the Quick Facts!

• Breakout time dropped to 48 minutes in 2024, with a record 51 seconds.
• Vishing attacks increased by 442% between the first and second half of 2024.
• 79% of cyberattacks in 2024 were malware-free, up from 40% in 2019.

The findings highlight the growing reliance on social engineering, identity-based attacks, and artificial intelligence to bypass security defenses.

One of the most alarming trends is the decrease in “breakout time”—the time it takes for an attacker to move laterally within a compromised network. The average breakout time dropped to just 48 minutes in 2024, with the fastest recorded at a mere 51 seconds.

This rapid escalation means organizations have even less time to detect and stop breaches before significant damage is done. Social engineering attacks surged, with voice phishing (vishing) increasing by 442% between the first and second half of 2024.

CrowdStrike’s report also highlights a shift away from traditional malware-based attacks. In 2024, 79% of detections were malware-free, compared to just 40% in 2019. Instead of deploying malware, attackers are using hands-on-keyboard techniques, mimicking legitimate user behavior to evade detection.

CrowdStrike warned that cloud services are becoming a preferred target for malicious activity on victim machines, with a 26% increase in unattributed cloud intrusions in 2024 compared to 2023.

The report highlighted that attackers are gaining initial access through valid accounts, using cloud environment management tools for lateral movement, and exploiting cloud provider command line tools.

The technology sector remained the most targeted industry for the seventh consecutive year, followed by consulting, manufacturing, and retail.

The report underscores the growing professionalism of cybercriminals, who now operate like structured businesses, continuously refining their tactics.

With identity-based attacks and AI-driven threats on the rise , experts urge organizations to prioritize proactive defense strategies, including risk-based patching, enhanced identity verification, and early credential abuse detection.

With a low barrier to entry, genAI enables threat actors to craft highly convincing phishing emails, deepfake videos, and disinformation campaigns. As cyber adversaries become more sophisticated, security teams must adapt quickly to counter evolving threats.

Image by ROBIN WORRALL, from Unsplash

More Than 1 Million Android Devices Compromised By Hidden Backdoor

• Written by Kiara Fabbri Former Tech News Writer
• Fact-Checked by Sarah Frazier Former Content Manager

A team of cybersecurity researchers has uncovered and partially disrupted a large-scale fraud operation called BADBOX 2.0, which involved a botnet of over one million infected Android-based devices.

In a Rush? Here are the Quick Facts!

• Researchers uncovered BADBOX 2.0, a botnet of over one million infected Android devices.
• The botnet used pre-installed backdoors in uncertified Android devices for cybercrime.
• Infected devices enabled ad fraud, account takeovers, DDoS attacks, and malware distribution.

The operation, an evolution of the original BADBOX campaign exposed in 2023, relied on backdoors pre-installed on low-cost, uncertified consumer devices to facilitate cybercriminal activities.

The investigation , led by HUMAN’s Satori Threat Intelligence and Research team in collaboration with Google, Trend Micro, Shadowserver, and other partners, revealed strong evidence linking the perpetrators behind BADBOX to the expansion of the BADBOX 2.0 scheme.

This scheme builds on the original BADBOX operation revealed in 2023 and represents the most extensive botnet of infected connected TV (CTV) devices ever identified, compromising over one million uncertified, low-cost Android devices worldwide.

BADBOX 2.0 exploits backdoors in consumer electronics such as off-brand tablets, CTV boxes, and digital projectors to deploy fraud modules remotely. These devices connect to command-and-control (C2) servers run by multiple cybercriminal groups.

The infection spreads through compromised supply chains, pre-installed malware, or third-party app downloads, enabling attackers to take control of unsuspecting users’ devices.

Once infected, these devices become part of a vast botnet used for fraudulent activities. Attackers use them for ad fraud by running hidden ads and simulating engagement, click fraud by directing traffic to fake domains, and automated browsing to inflate website traffic.

The botnet also enables cybercriminals to sell access to infected devices’ IP addresses for residential proxy services, facilitating account takeovers, fake account creation, and bypassing authentication systems.

Additionally, compromised devices are used in DDoS attacks, malware distribution, and one-time password (OTP) theft, allowing attackers to hijack user accounts.

The malware powering BADBOX 2.0 manipulates user behavior and engagement metrics through hidden ads and automated browsing, generating fraudulent ad revenue and distorting the digital advertising ecosystem.

HUMAN researchers identified four main cybercriminal groups involved in the operation. SalesTracker Group managed the BADBOX infrastructure and its expansion, while MoYu Group developed the backdoor, operated the botnet, and ran a click fraud campaign.

Lemon Group was linked to residential proxy services and fraudulent online gaming websites, and LongTV developed malicious CTV applications to facilitate hidden ad fraud.

To reduce exposure, users are advised to check whether their devices are Google Play Protect certified and avoid uncertified Android devices.