CloudSEK Updates

CloudSEK’s latest report highlights a major shift in mobile financial fraud, where threat actors use the LSPosed framework to manipulate Android at runtime and bypass UPI SIM-binding security without altering legitimate payment apps. The technique enables remote SMS injection, identity spoofing, OTP interception, and real-time account takeover at scale. The report urges banks to adopt stronger device integrity checks and carrier-side validation to counter this evolving threat.

More than 60 Iranian-aligned cyber groups mobilized within hours of the February 28, 2026 Iran-US escalation, as AI tools sharply lowered the barrier to targeting America’s internet-exposed critical infrastructure. The report shows how exposed ICS systems, default credentials, and AI-assisted reconnaissance are converging into a fast-growing national security risk.

The 28 February 2026 strikes accelerated an existing cyber threat to U.S. critical infrastructure, rather than creating it. This report examines who is targeting industrial control systems (ICS), how attacks are carried out, and the scale of the exposed attack surface. Critical infrastructure is a prime retaliation target due to high civilian impact, a large number of internet-exposed ICS devices, and long-standing underinvestment in OT cybersecurity.

CloudSEK has uncovered a malicious SMS spoofing campaign spreading a fake version of Israel’s “Red Alert” emergency app amid the ongoing conflict. Disguised as a trusted warning platform, the trojanized Android app can steal SMS, contacts, and location data while appearing legitimate. The report highlights how cybercriminals are weaponising public fear during crises to deploy mobile spyware with serious security and real-world implications.

The report examines the sharp escalation following the 28 February 2026 joint Israel–U.S. strikes on Iran, triggering a hybrid conflict blending kinetic attacks with unprecedented cyber operations. Iran faced near-total internet disruption, while retaliatory missile and cyber activity spread across Israel, the Gulf, and beyond. Over 150 hacktivist incidents were recorded, with global spillover risks to energy, finance, IT, and critical infrastructure sectors

CloudSEK researchers infiltrated Gunra’s newly launched RaaS affiliate program, gaining access to its live panel and ransomware locker. Our analysis reveals a highly optimized ChaCha20 + RSA-4096 hybrid encryption engine, multi-threaded execution, surgical file targeting, and offline stealth capabilities.

A single leaked credential from a fourth-party vendor recently exposed the digital infrastructure of 200 global airports. This security failure highlights how a lack of Multi-Factor Authentication can jeopardize critical systems, including baggage reconciliation and passenger kiosks. Discover how SVigil identified this backdoor before it cost the industry billions.

CloudSEK researchers have uncovered ZHGUI, a sophisticated China-linked cryptocurrency scam targeting Southeast Asian investors. Disguised as a compliant U.S. exchange using fake regulatory credentials, ZHGUI employs "pig-butchering" social engineering and mirror-exchange infrastructure to siphon millions in USDT. Discover the technical indicators and on-chain evidence behind this global fraud network.

CloudSEK’s latest investigation exposes a rapidly evolving fraud ecosystem targeting Canadians through highly convincing impersonation of government services and trusted national brands. From fake traffic fines and tax refunds to airline bookings and parcel delivery alerts, attackers are scaling operations using shared infrastructure and phishing-as-a-service models. The report reveals how urgency and institutional trust are weaponized—and what organizations must do to stay ahead.