"Free" TradingView Premium with a stealer, record DDoS Attack on Cloudflare and other cybersecurity events

# "Free" TradingView Premium with a styler, record DDoS Attack on Cloudflare and other cybersecurity events

We have gathered the most important news from the world of cybersecurity for the week.

• Hackers hid a stealer in a fake TradingView Premium.
• Experts have found a dangerous stealer for cryptocurrency users.
• Ransomware attackers threatened to leak AI model artwork.
• A vulnerability was found in the management of Chinese robots.

Hackers hid a stealer in a fake TradingView Premium

Cybercriminals were spreading fake ads for a free installation of TradingView Premium to download malware onto victims' Android devices. This was reported by Bitdefender researchers.

The software used by Brokewell appeared in early 2024. It has a wide range of capabilities, including the theft of confidential data, remote monitoring, and control of the infected device.

According to researchers, the targets of the campaign were cryptocurrency users. It has been active since at least July 22, using about 75 localized ads for the ru-segment.

Example of an attacker advertisement. Source: Bitdefender. When the victim clicked the link, they were redirected to a site disguised as the original TradingView, where a malicious file tw-update.apk was offered. After installation, the application requested access to accessibility features. If granted, it opened a supposedly system update window. Meanwhile, the infostealer granted itself all necessary permissions.

In addition, the attackers tried to obtain the smartphone's screen lock PIN by mimicking an Android system request.

Please enter the screen lock PIN code of your smartphone to protect against malware. Source: Bitdefender. Experts noted that the scheme was designed exclusively for mobile users: when switching from another device, harmless content was displayed.

According to Bitdefender, the fake application is an "enhanced version of the Brokewell malware" and includes the following features:

• scans BTC, ETH, USDT, and IBAN bank details;
• steals and exports codes from Google Authenticator;
• captures accounts through fake login screens;
• records the screen and keystrokes, steals cookies, activates the camera and microphone, tracks geolocation;
• intercepts SMS, including bank and 2FA codes, replacing the standard messaging application;
• can accept remote commands via Tor or WebSockets to send SMS, make calls, delete software, or even self-destruct.

Experts have found a dangerous stealer for crypto users

Researchers from F6 reported on the malicious scheme Phantom Papa found in June. The attackers sent emails in Russian and English with attachments containing the Phantom stealer.

The CaaS software-based platform Stealerium allows operators to steal passwords, banking and cryptocurrency information, as well as the contents of browsers and messengers.

Recipients of malicious emails containing a stealer were organizations from various sectors of the economy: retail, industry, construction, IT.

The report notes that the attackers are choosing fake emails with sexual themes such as See My Nude Pictures and Videos. Classic phishing scams like "Attached copy of payment No. 06162025" were also encountered.

A fragment of a phishing email from malicious actors offering to download an archive. Source: F6. When unpacking and launching files with .img and .iso extensions in RAR archives attached to the email, malware infiltrated the device. After execution on the victim's machine, Phantom collected detailed information about the hardware and system configurations, as well as stealing cookies, passwords, credit card information from the browser, images, and documents. All collected information was obtained by the attackers through Telegram bots like papaobilogs.

Another threat to cryptocurrency owners is the Clipper module. It endlessly extracted the contents of the clipboard at intervals of 2 seconds. If it changed, the malware saved it to a file. It then scanned the active window for words related to crypto services: "bitcoin", "monero", "crypto", "trading", "wallet", "coinbase".

In case of detection, the phase of searching the clipboard for cryptocurrency wallets by popular address snippets would begin. Upon finding, the software would replace the user's wallets with pre-set addresses of the attackers.

Phantom also has a module called PornDetector. It is capable of monitoring user activity and, if it finds any of the strings "porn", "sex", "hentai", it will create a screenshot in a file. If the window is still active after that, the module takes a snapshot with the webcam.

Ransomers threatened to leak art works to AI models

On August 30, extortionists from LunaLock allegedly posted information about a hack on the page of the service for artists Artists&Clients. This was reported by 404 Media.

The attackers demanded a ransom of $50,000 in Bitcoin or Monero from the owners of the art marketplace. Otherwise, they promised to publish all the data and hand over the artworks to AI companies for training LLM models.

A countdown timer was placed on the site, giving owners several days to gather the required amount. At the time of writing, the resource is not functioning.

"This is the first instance where I see that attackers are using the threat of AI model training as an element of their extortion tactics," noted Flare's senior cyber threat analyst Tammy Harper in a comment to 404 Media.

She added that such actions may prove effective against artists due to the sensitive topic.

A vulnerability found in the management of Chinese robots

On August 29, a cybersecurity specialist under the nickname BobDaHacker discovered vulnerabilities in the security of a leading global supplier of commercial robots. The vulnerability allowed the machines to obey arbitrary commands.

Pudu Robotics is a Chinese manufacturer of robots for performing a wide range of tasks in production and public places.

BobDaHacker discovered that administrative access to the robot management software was not blocked. According to him, to carry out an attack, the attacker only needs to obtain a valid authorization token or create a test account that is intended for trials before purchase.

After completing the initial authentication, no additional security checks were performed. The attacker gained the ability to redirect food delivery or disable the entire fleet of restaurant robots. This allowed anyone to make significant changes, such as renaming the robots to complicate recovery.

Cloudflare withstood a record DDoS Attack

Cloudflare blocked the largest DDoS Attack ever recorded, with a peak power of 11.5 Tbps. The network service provider reported this on September 1.

Cloudflare's defenses have been working overtime. Over the past few weeks, we've autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud.… pic.twitter.com/3rOys7cfGS

— Cloudflare (@Cloudflare) September 1, 2025

"Cloudflare's protection systems are operating in enhanced mode. Over the past few weeks, we have blocked hundreds of powerful DDoS attacks in offline mode, the largest of which peaked at 5.1 billion packets per second and 11.5 Tbps", the company stated.

The record DDoS Attack lasted approximately 35 seconds and was a combination of several IoT devices and cloud providers.

Also on ForkLog:

• Grokking. The Grok chatbot has been trained to post scam links.
• A quantum computer hacked a "tiny" cryptographic key.
• A plan for asset protection against quantum threats has been proposed in the USA.
• Hackers hid malicious links in smart contracts.
• User Venus lost $27 million due to phishing.
• The psychology book helped to "hack" ChatGPT.
• Hackers stole WLFI tokens using smart wallets.
• Losses from hacks of crypto projects reached $163 million in August.
• Binance helped freeze the assets of fraudsters at $47 million.
• El Salvador has protected its 6284 BTC from quantum threats.

What to read on the weekend?

ForkLog, in the framework of the monthly digest FLMonthly, spoke with the cryptopunk Anton Nesterov about the main threats to privacy and ways to counter them.