{"id":97306,"date":"2025-03-26T16:05:19","date_gmt":"2025-03-26T16:05:19","guid":{"rendered":"https:\/\/cybersecuritynews.com\/?p=97306"},"modified":"2025-03-26T16:05:21","modified_gmt":"2025-03-26T16:05:21","slug":"top-3-cyber-attacks-in-march-2025","status":"publish","type":"post","link":"https:\/\/cybersecuritynews.com\/top-3-cyber-attacks-in-march-2025\/","title":{"rendered":"Top 3 Cyber Attacks In March 2025"},"content":{"rendered":"\n

March 2025 saw a sharp uptick in cyber threats that put both individual users and organizations at risk. From banking apps weaponized to steal personal data, to trusted domains abused for redirecting users to phishing traps, cybercriminals didn\u2019t hold back. <\/p>\n\n\n\n

Their tactics are growing more creative and more dangerous. <\/p>\n\n\n\n

Here\u2019s a breakdown of the three standout attacks that made headlines this month.  <\/p>\n\n\n\n

1. Fake Banking App Targeting Android Users via Telegram\u00a0<\/strong><\/h2>\n\n\n\n

A sophisticated malware dropper was spotted mimicking the IndusInd Bank app, targeting Android users in a phishing scheme aimed at stealing sensitive financial information.  <\/p>\n\n\n\n

Once installed, the malicious app displays a fake banking interface, tricking users into entering critical details like their mobile number, Aadhaar and PAN numbers, and net banking credentials. <\/p>\n\n\n\n

After the victims submit the data, it is sent to both a phishing server and a Telegram-controlled command and control (C2) channel. <\/p>\n\n\n\n

The APK itself contains base.apk, the core malicious payload, and has permissions to install other apps. The dropper is also obfuscated and uses XOR-encryption with a key (\u201cnpmanager\u201d) to conceal its code and behavior. <\/p>\n\n\n\n

You can see a real-world sample of this attack in ANY.RUN<\/a>\u2019s new Android sandbox: <\/p>\n\n\n\n

View analysis session<\/a>\u00a0<\/strong><\/p>\n\n\n

\n
\"\"\/
Banking app interface displayed inside ANY.RUN sandbox <\/figcaption><\/figure><\/div>\n\n\n

Inside the sandbox, let\u2019s explore the actual interface of the fake banking app and trace how the attack unfolds.  <\/p>\n\n\n\n

By following the process tree and network connections, you can observe how a user was tricked into submitting their credentials. <\/p>\n\n\n

\n
\"\"\/
Sensitive information entered by the user <\/figcaption><\/figure><\/div>\n\n\n

Network activity also reveals how the stolen data is sent to a phishing site, then forwarded to a Telegram-controlled command server. <\/p>\n\n\n

\n
\"\"\/
Communication with Telegram captured by ANY.RUN Android sandbox <\/figcaption><\/figure><\/div>\n\n\n

This type of attack highlights just how quickly mobile threats are growing. One compromised employee can open the door to sensitive data, internal systems, and even financial accounts, putting the entire business in danger.  <\/p>\n\n\n\n

That\u2019s why it\u2019s so important for organizations to stay ahead of these threats. Giving your team the right tools to check suspicious apps before they become a problem is a lot easier and safer than dealing with a full-blown breach later. <\/p>\n\n\n\n

Equip your team with the right tools to analyze suspicious threats in seconds inside a secure, isolated sandbox environment -> Sign up for 14-day ANY.RUN trial<\/a>\u00a0<\/strong><\/p>\n\n\n\n

2. Trusted Websites Exploited for Malicious Redirects\u00a0<\/strong><\/h2>\n\n\n\n

In another campaign exposed by ANY.RUN researchers in March, attackers abused redirect functions on long-standing, trusted domains to reroute users to phishing pages. <\/p>\n\n\n\n

One such domain, registered back in 1996, was flagged as clean by antivirus tools giving users no reason to suspect anything was wrong. <\/p>\n\n\n\n

View analysis session<\/a>\u00a0<\/strong><\/p>\n\n\n

\n
\"\"\/
Exploitation of trusted website inside ANY.RUN sandbox <\/figcaption><\/figure><\/div>\n\n\n

In this ANY.RUN sandbox analysis, we can see the full picture of how the attack happens, starting with the targeted domain that was originally registered in 1996. <\/p>\n\n\n\n

By exploiting weak redirect validation, threat actors turned these safe-looking URLs into a launchpad for malicious sites. Since users believed they were still on legitimate pages, or moving between them, they were far more likely to fall for the scam. <\/p>\n\n\n\n

One of those redirects is a fake CAPTCHA page, which is automatically bypassed inside the sandbox thanks to its built-in interactivity feature, saving valuable time for security teams during analysis. <\/p>\n\n\n

\n
\"\"\/
CAPTCHA solved inside ANY.RUN sandbox <\/figcaption><\/figure><\/div>\n\n\n

After that, the user lands on a phishing page designed to look like a legitimate Microsoft login screen. But a closer look at the URL reveals it\u2019s anything but real, packed with random characters and clearly not tied to Microsoft.<\/p>\n\n\n

\n
\"\"\/
Fake Microsoft login page analyzed inside ANY.RUN sandbox <\/figcaption><\/figure><\/div>\n\n\n

These kinds of redirects damage user trust and make threat detection more difficult, especially when antivirus engines don\u2019t flag them as dangerous. <\/p>\n\n\n\n

3. Fake Booking.com Pages Delivering XWorm and Stealing Card Data\u00a0<\/strong><\/h2>\n\n\n\n

Cybercriminals love a familiar name, and this time, it was Booking.com<\/a> in their target.\u00a0<\/p>\n\n\n\n

This campaign used fake Booking-branded pages created through cybersquatting. The attackers registered domains that closely resembled the legitimate Booking site, then led users through a convincing flow that ended in either malware execution or data theft. <\/p>\n\n\n\n

View analysis session<\/a>\u00a0<\/strong><\/p>\n\n\n

\n
\"\"\/
Fake booking page delivering XWorm inside ANY.RUN sandbox <\/figcaption><\/figure><\/div>\n\n\n

In this case, the fake page instructed users to press Win + R, paste a script, and hit enter. This launched XWorm malware, capable of stealing data and giving attackers remote control. <\/p>\n\n\n

\n
\"\"\/
XWorm detected by ANY.RUN sandbox <\/figcaption><\/figure><\/div>\n\n\n

In another ANY.RUN analysis session<\/a>,<\/strong> the phishing site prompted users to enter their credit card information to \u201cverify their stay.\u201d The page looked legit, but it was nothing more than a front for harvesting sensitive financial data.\u00a0<\/p>\n\n\n

\n
\"\"\/<\/figure><\/div>\n\n\n

Domains like Iili[.]io were linked to this campaign and were also seen in use with the Tycoon2FA phishing toolkit pointing to a more extensive infrastructure behind the scenes. <\/p>\n\n\n\n

The attacks we saw in March all had one thing in common: they exploited trusted names and platforms to slip past users and security tools. That\u2019s a wake-up call for organizations everywhere. <\/p>\n\n\n\n

Here\u2019s why quick, hands-on threat analysis is more important than ever:\u00a0<\/strong><\/h2>\n\n\n\n