---
title: "Vapor Apps Malware, Coinbase Phishing Scam, Medusa Ransomware Attack , Cybersecurity News [March 17, 2025] | DuoCircle"
description: "Vapor Apps Malware, Coinbase Phishing Scam, Medusa Ransomware Attack, Cybersecurity News [March 17."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-13-of-2025/"
---

Quick Answer

Week ending March 17, 2025 covered: 331 'Vapor' Android apps with 60 million Google Play installs identified by IAS Threat Lab and Bitdefender, using disabled launcher activities and system-app disguises to push full-screen ads or fake Facebook and YouTube login screens; a Coinbase phishing email that mimics a self-custodial wallet migration notice, links to the genuine Coinbase Wallet page, and convinces users to set up a wallet using a recovery phrase the attacker controls (it passes SPF, DKIM, and DMARC because it is sent through Akamai's SendGrid); a joint FBI/CISA/MS-ISAC advisory on Medusa ransomware impacting 300+ critical-infrastructure organizations as a RaaS that pays Initial Access Brokers $100 to $1 million, with attacks up roughly 42% year-over-year; the Arcane infostealer (active since November 2024) spreading through YouTube and Discord game-cheat videos and stealing VPN, gaming, messaging, and browser credentials; and a $6.1 million theft (8,654,860 WEMIX tokens) from blockchain gaming platform WEMIX on February 28, 2025, after attackers stole authentication keys for the NILE NFT service and lurked for two months before 13 of 15 unauthorized withdrawals succeeded.

Vapor Apps Malware, Coinbase Phishing Scam, Medusa Ransomware Attack , Cybersecurity News \[March 17, 2025\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/03/Vapor-Apps-Malware-Coinbase-Phishing-Scam-Medusa-Ransomware-Attack---Cybersecurity-News-March-17-2025.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-13-of-2025%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Vapor%20Apps%20Malware%2C%20Coinbase%20Phishing%20Scam%2C%20Medusa%20Ransomware%20Attack%20%2C%20Cybersecurity%20News%20%5BMarch%2017%2C%202025%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-13-of-2025%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-13-of-2025%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-13-of-2025%2F&title=Vapor%20Apps%20Malware%2C%20Coinbase%20Phishing%20Scam%2C%20Medusa%20Ransomware%20Attack%20%2C%20Cybersecurity%20News%20%5BMarch%2017%2C%202025%5D "Share on Reddit") [ ](mailto:?subject=Vapor%20Apps%20Malware%2C%20Coinbase%20Phishing%20Scam%2C%20Medusa%20Ransomware%20Attack%20%2C%20Cybersecurity%20News%20%5BMarch%2017%2C%202025%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-13-of-2025%2F "Share via Email") 

![cybersecurity news](https://media.mailhop.org/duocircle/images/2025/03/spf-record-check-8904.jpg) 

The internet never sleeps and halts, and neither do cyber threats and its malicious actors. This week, sneaky apps tricked millions, hackers pulled off a clever email scam, and a big [ransomware attack](https://thehackernews.com/2024/08/us-agencies-warn-of-iranian-hacking.html) hit critical systems. Meanwhile, Google is making a **massive security move**, and Telegram’s CEO is caught up in legal trouble. Here’s everything you need to know about the latest in [cybersecurity](/)!

### Malicious ‘Vapor’ Apps on Google Play Reach 60 Million Installs

A massive Android malware operation has been uncovered, with [over 300 malicious apps](https://www.forbes.com/sites/daveywinder/2025/03/18/60-million-malicious-google-play-downloads-as-331-apps-bypass-security/) downloaded 60 million times from Google Play.

The threat was exposed by **IAS Threat Lab**, who actually named the malware “Vapor.” After them, it was [Bitdefender who expanded](https://www.bitdefender.com/en-us/blog/labs/malicious-google-play-apps-bypassed-android-security) on their findings. Basically, these apps are disguised as useful tools like fitness trackers and [QR code scanners](https://www.malwarebytes.com/blog/news/2024/11/malicious-qr-codes-sent-in-the-mail-deliver-malware) and work in two ways-either bombarding users with ads or attempting to steal credentials and [credit card information](https://www.infosecurity-magazine.com/news/cyber-attack-exposes-credit-card/). For organizations and users alike, adopting [QR code tracking](https://www.uniqode.com/qr-code-generator/for-tracking) can help verify scan destinations and detect suspicious redirects before damage occurs.

Google has removed the apps, but the threat actors have already shown that they can **simply bypass security checks**, meaning similar attacks can surface in the future. The Vapor apps were carefully designed to evade detection. _The apps made themselves invisible by disabling their launcher activity and renaming themselves to appear as system applications_. Some of these forced full-screen ads over other apps, and others displayed [fake login screens](https://www.techtarget.com/healthtechsecurity/news/366595545/Credential-Theft-Via-Spoofed-Login-Pages-Increase-Healthcare-Top-Target) for Facebook and YouTube, tricking users into entering credentials.

So, how can you **stay protected against such threats** in the future? You should avoid downloading apps from unknown developers and monitor the permissions on app requests. Also, keep an eye out for apps with hidden icons, intrusive ads, or ones that ask for sensitive information.

[![attacks](https://media.mailhop.org/duocircle/images/2025/03/spf-record-generator-7763.jpg)](/announcements/cyber-security-news-update-week-13-of-2025/attachment/spf-record-generator-7763)

## Phishing Scam Targets Coinbase Users with Fake Email

There’s also a [new phishing scam targeting Coinbase](https://www.bitdefender.com/en-us/blog/hotforsecurity/mandatory-coinbase-wallet-migration-its-a-phishing-scam) users, tricking them into setting up wallets with a recovery phrase controlled by attackers.

The email falsely claims that [Coinbase is moving to self-custodial wallets](https://x.com/coinbasesupport/status/1900632373651210421) due to a lawsuit and the [phishing links](https://www.computerweekly.com/news/366605874/Phishing-links-becoming-bigger-threat-than-email-attachments) lead to the real Coinbase Wallet page, which is why many people do not suspect anything is wrong until it’s too late. Once they set up the fake wallet and transfers funds into it, the attackers can **instantly take control**.

What makes this attack even more deceptive is its ability to **bypass spam filters**. The email appears to come from Coinbase but actually uses an address linked to Akamai’s SendGrid service. That’s why it even passes [SPF](/resources/what-is-spf), [DMARC](https://dmarcreport.com/), and [DKIM](/resources/what-is-dkim) security checks. Akamai has acknowledged the issue and is investigating, but the threat remains active.

_Coinbase has warned users, reminding them that they will never send a recovery phrase and that any email claiming to do so is a scam_. If you wish to stay safe against this and similar threats, you should make it a rule never to use a recovery phrase provided to you **via email or any website**.

### CISA Reports Medusa Ransomware Attack on 300+ Critical Infrastructure Organisations

The FBI, [CISA, and MS-ISAC have issued a joint warning](https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a), urging organizations to strengthen their defenses because Medusa ransomware has been wreaking havoc, hitting over 300 critical infrastructure organizations in the **U.S. as of last month**.

Medusa was originally a closed ransomware operation but has now evolved into a RaaS (Ransomware-as-a-Service) model, allowing affiliates to carry out attacks. The group recruits [IABs (Initial Access Brokers)](https://www.bleepingcomputer.com/news/security/how-initial-access-brokers-iabs-sell-your-users-credentials/) from cybercriminal forums and offers payments between $100 and $1 million for access to potential victims. They have been responsible for [high-profile breaches](https://www.securityweek.com/560000-people-impacted-across-four-healthcare-data-breaches/), including an attack on Minneapolis Public Schools in 2023 and a failed $8 million ransom attempt against Toyota Financial Services. Its attacks have surged by **42% between 2023 and 2024**, nearly doubling in early 2025.

_Organizations should keep all software and systems updated, segment networks to prevent lateral movement and block remote access from untrusted sources_. Taking these steps can reduce the risk of falling victim to one of the most aggressive ransomware threats in recent years.

### New Arcane Infostealer Spreads Through YouTube and Discord Using Game Cheats

A newly identified [malware called Arcane](https://www.bleepingcomputer.com/news/security/new-arcane-infostealer-infects-youtube-discord-users-via-game-cheats/) is actively stealing a vast amount of user data, including credentials for VPN accounts, gaming platforms, messaging apps, and **sensitive information stored in web browsers**.

Kaspersky researchers shared a [report](https://securelist.com/arcane-stealer/115919/) on this and confirmed that Arcane has no direct connection to the long-circulating Arcane Stealer V despite the similarity in names. It was **first noticed back in November 2024** and has undergone multiple changes, including alterations to its core payload. The malware spreads through deceptive YouTube videos that promote game cheats and cracked software. Basically, the victims are tricked into downloading password-protected archives that contain an obfuscated script. When they execute it, it downloads another archive housing malicious executables.

You may become a victim of identity theft, financial fraud, and even extortion with this threat; that’s why it’s best to make it a habit to **avoid downloading unauthorized software**, particularly game cheats and pirated programs.

### Hackers Steal $6.1 Million in Cyberattack on Blockchain Gaming Platform WEMIX

It seems [threat actors](/email-security/what-threat-actor-can-do-with-your-emails-without-password/) have taken a liking to the gaming community because the Blockchain platform WEMIX fell victim to a cyberattack, resulting in the theft of **8,654,860 WEMIX tokens**, valued at approximately $6.1 million.

[![Blockchain Gaming](https://media.mailhop.org/duocircle/images/2025/03/spf-permerror-4568.jpg)](https://media.mailhop.org/duocircle/images/2025/03/spf-permerror-4568.jpg)

The breach (which **occurred on February 28, 2025**) was confirmed by WEMIX CEO Kim Seok-Hwan during a press conference this week, where he [explained](https://www.yna.co.kr/view/AKR20250317065851017) that this was a strategic decision to protect users and prevent further financial damage. The organization did take immediate action to contain the breach and report it to law enforcement. Still, the attackers had already liquidated most of the stolen tokens, impacting the market significantly.

The hackers gained access to [WEMIX](https://www.scworld.com/brief/nearly-6-1m-pilfered-in-wemix-hacking-incident) by stealing authentication keys associated with NILE, the **platform’s NFT service**. Then, the attackers lurked in the system for two months, carefully planning their moves. When they finally acted, they attempted fifteen unauthorized withdrawals, succeeding in thirteen of them. The stolen tokens were swiftly laundered through cryptocurrency exchanges, making recovery difficult.

[Cyberattacks on crypto-based ecosystems](https://thehackernews.com/2024/09/us-sanctions-two-crypto-exchanges-for.html) are becoming increasingly sophisticated so you should avoid storing large amounts of assets on **exchange platforms** and go with hardware wallets for added security.

## Topics

cyber securityDKIMDMARCNewsSecurityspfUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 6m  LastPass Users Phished, Amazon Down US, UK Cybersecurity Boost, Cybersecurity News \[March 02, 2026\]  Mar 9, 2026 ](/blog/announcements/cyber-security-news-update-week-10-of-2026/)[  News 6m  PowerSchool Data Extortion, Cellcom Cyberattack Confirmed, Hackers Exploit Gaps, Cybersecurity News \[May 19, 2025\]  May 26, 2025 ](/blog/announcements/cyber-security-news-update-week-22-of-2025/)[  News 6m  GitHub Backdoor Threat, Cartier Data Breach, Fake RubyGems Steal, Cybersecurity News \[June 02, 2025\]  Jun 9, 2025 ](/blog/announcements/cyber-security-news-update-week-24-of-2025/)[  News 6m  Lumma Infostealer Returns, Coyote Malware Exploits, Interlock Ransomware Alert, Cybersecurity News \[July 21, 2025\]  Jul 28, 2025 ](/blog/announcements/cyber-security-news-update-week-31-of-2025/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Vapor Apps Malware, Coinbase Phishing Scam, Medusa Ransomware Attack , Cybersecurity News [March 17, 2025]","description":"Vapor Apps Malware, Coinbase Phishing Scam, Medusa Ransomware Attack, Cybersecurity News [March 17.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-13-of-2025/","datePublished":"2025-03-24T15:54:58.000Z","dateModified":"2026-01-22T18:32:27.000Z","dateCreated":"2025-03-24T15:54:58.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-13-of-2025/"},"articleSection":"announcements","keywords":"cyber security, DKIM, DMARC, News, Security, spf, Updates","wordCount":1049,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/03/spf-record-check-8904.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"Vapor Apps Malware, Coinbase Phishing Scam, Medusa Ransomware Attack , Cybersecurity News [March 17, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-13-of-2025/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Vapor Apps Malware, Coinbase Phishing Scam, Medusa Ransomware Attack , Cybersecurity News [March 17, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-13-of-2025/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Vapor Apps Malware, Coinbase Phishing Scam, Medusa Ransomware Attack , Cybersecurity News [March 17, 2025]","description":"Vapor Apps Malware, Coinbase Phishing Scam, Medusa Ransomware Attack, Cybersecurity News [March 17.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-13-of-2025/","datePublished":"2025-03-24T15:54:58.000Z","dateModified":"2026-01-22T18:32:27.000Z","dateCreated":"2025-03-24T15:54:58.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-13-of-2025/"},"articleSection":"announcements","keywords":"cyber security, DKIM, DMARC, News, Security, spf, Updates","wordCount":1049,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/03/spf-record-check-8904.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```