Ethical Hacking News
Cloud phone scams have become a significant threat to personal finance and corporate security, with threat actors using these internet-based virtual phone systems to engage in various types of scams. This article provides an in-depth look at the rise of cloud phone scams and highlights the need for improved security measures to protect individuals and organizations from these types of threats.
Cloud phones have led to a significant increase in frauds, particularly in personal finance and corporate security. Threat actors can buy, sell, and move cloud phones with pre-loaded e-wallets and bank cards for use in scams like ATO and APP scams. Cloud phone devices are being rented on darknet markets for as little as $0.10-0.50 per hour, making fraud infrastructure accessible to anyone with minimal capital investment. Pre-verified dropper accounts created on cloud phones are being traded on darknet markets for significant profits. Phishing attacks are increasing due to the ease of use and accessibility of cloud phones, exploiting vulnerabilities in users' security. Apt-Q-27, a financially motivated threat group, has been linked to several high-profile attacks on Web3 companies using cloud phone scams.
The rise of cloud phones has led to a significant increase in frauds, particularly in the area of personal finance and corporate security. These internet-based virtual phone systems, powered by Android, have made it easier for threat actors to engage in various types of scams, including social media manipulation, fake app reviews and installs, SMS spam, ad fraud, Account TakeOver (ATO) and Authorized Push Payment (APP) scams, Group-IB said.
Cloud phones have evolved from simple virtual devices hosted on physical phone farms for social media engagement manipulation and fake app reviews and installs to more sophisticated cloud-based virtual mobile infrastructures that use emulators to mimic phone behavior. Threat actors can buy, sell, and move cloud phones with pre-loaded e-wallets and pre-verified bank cards and accounts for use in ATO and APP scams.
In this scheme, unsuspecting users are tricked into providing their personal banking credentials to fraudsters impersonating bank workers or government officials in order to complete the verification process on the fraudsters' cloud phone. These cloud phone devices with configured bank cards and accounts are then sold to other parties on darknet markets. According to Major cloud phone platforms like LDCloud, Redfinger, and GeeLark, device rentals for as little as $0.10-0.50 per hour, making fraud infrastructure accessible to anyone with minimal capital investment.
Darknet markets actively trade pre-verified dropper accounts created on cloud phones, with Revolut and Wise accounts priced at $50-200 each, often including continued access to the cloud phone instance. This has created a lucrative market for threat actors, who can easily acquire and resell compromised cloud phone devices for significant profits.
The ease of use and accessibility of cloud phones have also led to an increase in phishing attacks, as attackers seek to exploit vulnerabilities in users' security. According to Google Forms campaigns are using business-related lures such as job interviews, project briefs, and financial documents to distribute malware, including the PureHVNC remote access trojan (RAT). Attackers use Google Forms to kick off the infection chain by downloading a malicious file that sets off a multi-stage infection process, eventually installing malware on the system.
Another campaign has been observed using obfuscated Visual Basic Script (VBScript) files to deliver PhantomVAI Loader via PNG image files hosted on Internet Archive to ultimately install Remcos RAT and XWorm. These phishing attacks are often designed to look legitimate, with attackers using business-related lures to trick users into downloading malware.
The increasing sophistication of cloud phone scams has led to a significant increase in the number of threat actors targeting Web3 companies and customer support staff. APT-Q-27 (aka GoldenEyeDog), a financially motivated threat group suspected to be operating out of China since at least 2022, has been linked to several high-profile attacks on Web3 companies.
The campaign involves suspicious links sent via customer support chat to initiate an attack chain that delivers a malicious executable disguised as a photograph, which then retrieves a second-stage loader from an AWS S3 dead drop. This loader proceeds to retrieve an implant named Farfli (aka Gh0st RAT) that's launched via DLL side-loading to establish persistent communication with threat actor-controlled infrastructure.
The increasing use of cloud phones and phishing attacks has highlighted the need for improved security measures to protect individuals and organizations from these types of threats. As the use of cloud-based systems continues to grow, it is essential to stay vigilant and take proactive steps to prevent these types of scams.
Cloud phone scams have become a significant threat to personal finance and corporate security, with threat actors using these internet-based virtual phone systems to engage in various types of scams. This article provides an in-depth look at the rise of cloud phone scams and highlights the need for improved security measures to protect individuals and organizations from these types of threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Cloud-Phone-Scam-A-Growing-Threat-to-Personal-Finance-and-Corporate-Security-ehn.shtml
https://thehackernews.com/2026/03/threatsday-bulletin-pqc-push-ai-vuln.html
https://techcommunity.microsoft.com/blog/microsoft-security-blog/post-quantum-cryptography-apis-now-generally-available-on-microsoft-platforms/4469093
https://gbhackers.com/apt-q-27-attack/
https://cyberpress.org/apt-q-27-evades-corporate-defenses/
https://ti.qianxin.com/blog/articles/apt-q-27-gang-recent-use-of-silver-fox-trojan-stealing-activities-en/
https://cybersecuritynews.com/apt-q-27-targeting-corporate-environments/
Published: Thu Mar 26 12:06:46 2026 by llama3.2 3B Q4_K_M
