News & Commentary

Large-scale malware campaign discovered on the Google Play Store 📱

Android users: You might wanna take another look at the apps on your phone.

A large-scale malware campaign known as “Vapor” recently took hold of the Google Play Store in the form of 300+ malicious Android apps that were downloaded a whopping 60 million times. And a few of these 300+ apps tried to steal user creds and credit card information via phishing attacks.

Here’s the thing, though: These adware-infused apps weren’t your typical applications that make you go…

(Think the spammy-looking games that your grandma won’t let you remove from her phone.)

No, these apps looked like legitimate utilities: health and fitness trackers, notes tools — productivity apps that we all download from time to time. They were so convincing (and malware-free, at the time of submission) that Google’s review process for the apps didn’t even flag them, so the apps made it to the legitimate Google Play Store. And because they could be downloaded from the Google Play Store, who would’ve thought to question their legitimacy?

All that to say, please be cognizant of app permissions. Android is pretty good about letting you pick and choose the permissions you give — so maybe take a pause the next time your motivational quotes app asks for access to your contacts and photos. 👀

(And if you’re an Android user, make sure none of these apps are on your phone: AquaTracker, ClickSave Downloader, Scan Hawk, Water Time Tracker, Be More, BeatWatch, TranslateScan, and Handset Locator.)

Microsoft sniffs out a new RAT 🐀

Microsoft has identified a new remote access trojan, or RAT, called StilachiRAT — and its resume is impressive. 😅

StilachiRAT is capable of reconnaissance, credential theft, and cryptocurrency wallet exploitation. And this RAT has a keen sense of smell to boot: It hunts down and targets sensitive information — such as credentials stored in browsers, clipboard data, and system details — while specifically scanning for config files from 20+ crypto wallets. And did I mention it even comes with its own persistence mechanism? 🫠

The good(ish) news? This one hasn’t really made its rounds in the wild (yet).

Because this RAT also enables bad actors to execute commands remotely, Microsoft urges folks to do what they should already be doing: Only download software from official sources and invest in a solid security solution.

Google has acquired Wiz 💙

Gotta give a newsworthy shout-out to my friends at Wiz for their big news this week. Google has acquired them — for $32 billion. This incredible announcement also marks the largest acquisition deal in Google’s history. (!!!)

Congrats to the Wiz team! 🎉

Sponsor

Here’s what strategies are fueling success for 900+ security leaders

Security teams are navigating a complex landscape riddled with emerging threats, AI innovation, and evolving regulations.

To learn more about their successes and challenges, IDC surveyed 900+ security leaders across the US, Europe, and Australia and found that flawed performance metrics could be holding teams back, leaders and analysts have very different experiences of work-life balance, and more.

On March 26, join sponsors Tines and AWS for a deep dive webinar on the full findings of IDC’s Voice of Security 2025 and leave with actionable takeaways to strengthen your security team.

Email being clipped?

Here’s some actually helpful advice: You can view the email in your browser: https://johnhammond.beehiiv.com/p/cybersecurity-shenanigans-010.

(And as always, thanks for nothing, Clippy. 💙)

Just Hacking Training 🤓
March Announcements

We’re celebrating Women’s History Month! 🦸‍♀️

No marketing gimmicks. No cheesy sales. I just want to honor the wonderful women we’re lucky to have as part of our All-Star lineup by releasing 4 FREE Upskill Challenges showcasing their talents.

• UC – WebSockets by Katie Paxton-Fear

• UC – Pentest Reports by Bailey Marshall

• UC – Cyber Threat Intelligence (CTI) by Jennifer Funk

• UC – Brute Force Attacks by seclilc

And let’s not forget the amazing work by one of JHT’s charter authors, Ellie Daw, with her course “Ease Me into Cryptography” and 2 UCs, Quantum Computing & Quantum Programming (our best UC IMHO).

Recently Released Bundles

• The “Mishaal” Bundle

• Mastering Active Directory Security (MADS) Volumes 1 – 3

• Windows Malware Dev (WMD) 1 & 2

On deck for April 2025 and beyond!

• Constructing Defense Redux by Anton Ovrutsky (Livestream Guest Fri April 4)

• WMD 3 Course by Dahvid Schloss

• MADS 4 and 5 Courses by Slavi Parpulev

• Next Level OSINT Course by Mishaal Khan

• Numerous Courses, HALs, UCs & CTFs

With new content released twice a month throughout 2025, bi-monthly livestreams with our experts and even some “Name Your Price” options, JHT provides "Focused Technical Training for All Levels" to advance your career regardless of experience level or budget.

Come hang out with us hackers in Discord and engage with me, our All-Star instructors, students, and the rest of our community.

I had the absolute honor of speaking during RITSEC’s annual Information Security Talent Search: a three-day event packed with red, blue, and purple team exercises, capture the flag challenges, and so much more.

And a huge shout-out to Texas A&M, the ISTS 2025 Champions!

Thanks for having me!

We’re 10 issues into this newsletter, and I’d love to check in with you: Is this thing helpful? Mildly entertaining? Awkward?

I can’t promise to make it less awkward, but I would love your ideas on how to make it more entertaining and helpful as a resource.

Please reply to this email and let me know what you’re loving — and what you’d like to see in this thing.

Thank you!