Cyber Security
Stalkerware & Ransomware Risks Grow As Legal Action Takes Down Malware Actors
By Manali Kekade
Updated on Fri, May 23, 2025
Share
In our highly connected world, cybersecurity has become one of the most essential considerations at each touchpoint. From data stored on our smartphones to the vital infrastructure running our cities, digital assets are under continuous threat from increasingly sophisticated cybercriminals.
The past few days alone have brought to light the dynamic, and often aggressive, nature of cyber threats. These incidents underscore both sides of the coin: the vulnerabilities exploited by malicious actors and the determined efforts of global law enforcement to counter them.
So, let’s see which recent events have reshaped the ever-changing world of cybersecurity. Read on!
Earlier this year, a significant data breach exposed sensitive information from millions of users through three prominent stalkerware apps (software tools that secretly track a device's location and activity): Spyzie, Cocospy, and Spyic.
Messages, photos, and location data from victims' devices were laid bare, while an additional 3.2 million email addresses belonging to the stalkerware’s customers were also compromised, according to Danny Bradbury at Malwarebytes Labs.
In the wake of this compromise, the company took all its apps offline without any explanation.
The websites promoting the stalkerware have also disappeared, while the apps have "gone dark," and their Amazon Web Services storage has been removed. Further investigation shows that other tracking apps run by the same organization, including FamiSoft Limited, Teensafe, Spyier, Neatspy, Fonemonitor, Spyine, and Minspy, have also been taken offline.
Stalkerware apps occupy a legally grey area and are highly controversial, often enabling abusers to secretly monitor their partners. Danny Bradbury notes that the person being tracked is usually unaware or often coerced into installing the software.
"They are victimized twice: once when an individual invades their privacy, and twice when crummy infrastructure exposes their information more widely,” Bradbury stated. The exact reason behind the company’s abrupt shutdown remains uncertain, but avoiding legal consequences from the data leak is a likely factor.
This isn’t an isolated case. Last year, the app pcTattletale was discovered to be secretly accessing networks at several U.S. Wyndham hotels, capturing screenshots of booking systems with guest and customer information. This "simple stalkerware," as described by its discoverer Eric Daigle, also suffered from a bug that made its captured screenshots publicly accessible.
To check for stalkerware on an Android device, dial **001** and press the call button. This may reveal hidden apps, if they are present, although this technique won't detect all types of malware.
As stalkerware apps fade, more aggressive threats are stepping into the spotlight. Most recently, a ransomware gang innovated by combining spam and social engineering for maximum impact. Dive in for the details!
The newly surfaced 3AM ransomware group is ramping up its attacks by combining email bombing with vishing (voice phishing), a tactic previously only seen from the Black Basta ransomware group. This shift highlights how modern cyber criminals are rapidly evolving by adopting more sophisticated and aggressive methods.
Researchers at Sophos recently identified an attack in 2025 Q1 where 3AM affiliates employed this move, successfully exfiltrating data from a targeted system, although the ransomware deployment itself was not completed.
This attack pattern floods employees with unwanted emails, then follows up with a voice or video call, often via Microsoft Teams, with attackers impersonating tech support to gain remote access via Quick Assist or AnyDesk.
Government agencies first spotted this tactic with Black Basta, and other groups like Microsoft-tracked Storm-1811 and 3AM have since copied it.
Between November 2024 and mid-January 2025, Sophos documented over 15 incidents and detected 55 other attempted attacks utilizing this specific method. Hence, this evolving tactic signals the rise of sophisticated threats.
Yet, there is hope in the form of law enforcement, ethical hackers, and private security providers.
So, let’s check the next incident, where a Russian malware operator was criminally charged over malware attacks that infected hundreds of thousands of devices worldwide.
As part of Operation Endgame, U.S. authorities announced criminal charges and a civil forfeiture case against Rustam Rafailevich Gallyamov, a 48-year-old Russian national from Moscow, accused of leading the cybercrime ring behind Qakbot (also known as Qbot).
This notorious malware infected over 700,000 computers worldwide and caused ransomware attacks costing victims tens of millions of dollars. Gallyamov is charged with conspiracy to commit computer fraud and wire fraud, but is in Russia and not under US custody.
Qakbot spreads by tricking victims into downloading Windows malware via phishing emails with malicious attachments. Once installed, it can create backdoors, install ransomware, track keystrokes, and steal passwords and other sensitive data.
According to the indictment, Gallyamov created and controlled Qakbot since 2008 and actively used it from 2019 to build a global botnet of infected computers. He allegedly gave ransomware groups such as Prolock, Doppelpaymer, Egregor, REvil, Conti, Black Basta, and Cactus access to this network in exchange for a share of their illegal profits.
Even after a multi-national law enforcement effort led by the FBI in 2023 seized 52 Qakbot servers and over $8.6 million in cryptocurrency, which authorities believed would prevent its resurrection. However, the botnet reappeared three months later.
After the disruption by FBI, Gallyamov and his group shifted to "spam bomb attacks", flooding email inboxes with fake IT support emails to trick employees into running malware, giving them access to corporate systems, leading to data theft, encryption, and ransom demands.
On April 25, the FBI seized illegal funds from Gallyamov, including over 30 bitcoins and $700,000 in USDT. The Justice Department also filed a case to keep over $24 million already taken from him, with plans to return the money to Qakbot’s victims.
The investigation into Gallyamov, led by the FBI’s Los Angeles Field Office, received support from German, Dutch, and French law enforcement agencies, as well as Europol.
This massive crackdown on malware set the stage for the takedown of another notorious malware operation.
In a major victory against cybercrime, a global coalition of law enforcement and private security teams disrupted the DanaBot malware operation by seizing its command-and-control servers, effectively shutting down the malware-as-a-service platform.
Plus, federal officials have unsealed a grand jury indictment and criminal complaint charging 16 individuals for their alleged involvement in the development and deployment of DanaBot.
Emerging in 2018 as a banking trojan, DanaBot evolved through multiple updates to become an information-stealing loader for other malware attacks. The Russia-based cybercrime organization controlling DanaBot infected over 300,000 computers worldwide, resulting in an estimated $50 million in fraud and ransomware damages, according to the Justice Department.
This successful disruption of a global botnet like DanaBot marks the second major law enforcement takedown of a widespread malware operation in as many days, following the dismantling of the Lumma Stealer infostealer operation.
While two of the 16 accused DanaBot operators, Aleksandr Stepanov, 39, and Artem Kalinkin, 34, from Novosibirsk, Russia, remain at large, the takedown marks a major blow to the group.
DanaBot offered extensive capabilities to cybercriminals, allowing them to hijack banking sessions, and steal credentials, device information, browser histories, and cryptocurrency wallet information. It even gave them full remote access to the victim’s computers to record keystrokes and videos.
CrowdStrike's Adam Meyers, Senior Vice President of Counter Adversary Operations, noted, “It seems like the Russian government had access and was tasking this botnet and using it for espionage purposes. That is like a new level of cooperation and interconnection that I think hasn’t really been publicly disclosed before.” The blend of espionage and cybercrime makes DanaBot unique in the cyber-risk landscape.
Kenneth DeChellis, Special Agent in Charge of the Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS), Cyber Field Office, emphasized the significance of this action, saying, “The enforcement actions announced today, made possible by enduring law enforcement and industry partnerships across the globe, disrupted a significant cyber threat group, who were profiting from the theft of victim data and the targeting of sensitive networks. The DanaBot malware was a clear threat to the Department of Defense and our partners.”
The DanaBot malware posed a serious threat to the Department of Defense and its partners. The FBI’s Anchorage Field Office and DCIS led the investigation, with key support from federal police in Germany, the Netherlands, and Australia, as well as cybersecurity firms like Amazon, CrowdStrike, Google, and others.
A trend of continued global teamwork–for both law enforcement and cyber criminals–has reshaped cybersecurity as we know it. Only a strong, united effort can tackle fast-changing and sophisticated cyber threats.
Do you think our existing protection strategies are falling short? How can they evolve to account for new attack vectors?
Let us know your thoughts in the comments below!
The past few days alone have brought to light the dynamic, and often aggressive, nature of cyber threats. These incidents underscore both sides of the coin: the vulnerabilities exploited by malicious actors and the determined efforts of global law enforcement to counter them.
So, let’s see which recent events have reshaped the ever-changing world of cybersecurity. Read on!
Stalkerware Apps Go Dark After Damaging Data Breach
Earlier this year, a significant data breach exposed sensitive information from millions of users through three prominent stalkerware apps (software tools that secretly track a device's location and activity): Spyzie, Cocospy, and Spyic.
Messages, photos, and location data from victims' devices were laid bare, while an additional 3.2 million email addresses belonging to the stalkerware’s customers were also compromised, according to Danny Bradbury at Malwarebytes Labs.
In the wake of this compromise, the company took all its apps offline without any explanation.
The websites promoting the stalkerware have also disappeared, while the apps have "gone dark," and their Amazon Web Services storage has been removed. Further investigation shows that other tracking apps run by the same organization, including FamiSoft Limited, Teensafe, Spyier, Neatspy, Fonemonitor, Spyine, and Minspy, have also been taken offline.
Stalkerware apps occupy a legally grey area and are highly controversial, often enabling abusers to secretly monitor their partners. Danny Bradbury notes that the person being tracked is usually unaware or often coerced into installing the software.
"They are victimized twice: once when an individual invades their privacy, and twice when crummy infrastructure exposes their information more widely,” Bradbury stated. The exact reason behind the company’s abrupt shutdown remains uncertain, but avoiding legal consequences from the data leak is a likely factor.
This isn’t an isolated case. Last year, the app pcTattletale was discovered to be secretly accessing networks at several U.S. Wyndham hotels, capturing screenshots of booking systems with guest and customer information. This "simple stalkerware," as described by its discoverer Eric Daigle, also suffered from a bug that made its captured screenshots publicly accessible.
To check for stalkerware on an Android device, dial **001** and press the call button. This may reveal hidden apps, if they are present, although this technique won't detect all types of malware.
As stalkerware apps fade, more aggressive threats are stepping into the spotlight. Most recently, a ransomware gang innovated by combining spam and social engineering for maximum impact. Dive in for the details!
3AM Ransomware Group Adopts Email Bombing In Combination With Vishing Attacks
The newly surfaced 3AM ransomware group is ramping up its attacks by combining email bombing with vishing (voice phishing), a tactic previously only seen from the Black Basta ransomware group. This shift highlights how modern cyber criminals are rapidly evolving by adopting more sophisticated and aggressive methods.
Researchers at Sophos recently identified an attack in 2025 Q1 where 3AM affiliates employed this move, successfully exfiltrating data from a targeted system, although the ransomware deployment itself was not completed.
This attack pattern floods employees with unwanted emails, then follows up with a voice or video call, often via Microsoft Teams, with attackers impersonating tech support to gain remote access via Quick Assist or AnyDesk.
Government agencies first spotted this tactic with Black Basta, and other groups like Microsoft-tracked Storm-1811 and 3AM have since copied it.
Between November 2024 and mid-January 2025, Sophos documented over 15 incidents and detected 55 other attempted attacks utilizing this specific method. Hence, this evolving tactic signals the rise of sophisticated threats.
Yet, there is hope in the form of law enforcement, ethical hackers, and private security providers.
So, let’s check the next incident, where a Russian malware operator was criminally charged over malware attacks that infected hundreds of thousands of devices worldwide.
Russian Hacker Charged Over Qakbot Malware Infecting 700,000 Computers
As part of Operation Endgame, U.S. authorities announced criminal charges and a civil forfeiture case against Rustam Rafailevich Gallyamov, a 48-year-old Russian national from Moscow, accused of leading the cybercrime ring behind Qakbot (also known as Qbot).
This notorious malware infected over 700,000 computers worldwide and caused ransomware attacks costing victims tens of millions of dollars. Gallyamov is charged with conspiracy to commit computer fraud and wire fraud, but is in Russia and not under US custody.
Qakbot spreads by tricking victims into downloading Windows malware via phishing emails with malicious attachments. Once installed, it can create backdoors, install ransomware, track keystrokes, and steal passwords and other sensitive data.
According to the indictment, Gallyamov created and controlled Qakbot since 2008 and actively used it from 2019 to build a global botnet of infected computers. He allegedly gave ransomware groups such as Prolock, Doppelpaymer, Egregor, REvil, Conti, Black Basta, and Cactus access to this network in exchange for a share of their illegal profits.
Even after a multi-national law enforcement effort led by the FBI in 2023 seized 52 Qakbot servers and over $8.6 million in cryptocurrency, which authorities believed would prevent its resurrection. However, the botnet reappeared three months later.
After the disruption by FBI, Gallyamov and his group shifted to "spam bomb attacks", flooding email inboxes with fake IT support emails to trick employees into running malware, giving them access to corporate systems, leading to data theft, encryption, and ransom demands.
On April 25, the FBI seized illegal funds from Gallyamov, including over 30 bitcoins and $700,000 in USDT. The Justice Department also filed a case to keep over $24 million already taken from him, with plans to return the money to Qakbot’s victims.
The investigation into Gallyamov, led by the FBI’s Los Angeles Field Office, received support from German, Dutch, and French law enforcement agencies, as well as Europol.
This massive crackdown on malware set the stage for the takedown of another notorious malware operation.
DanaBot Malware Operation Seized In Global Takedown
In a major victory against cybercrime, a global coalition of law enforcement and private security teams disrupted the DanaBot malware operation by seizing its command-and-control servers, effectively shutting down the malware-as-a-service platform.
Plus, federal officials have unsealed a grand jury indictment and criminal complaint charging 16 individuals for their alleged involvement in the development and deployment of DanaBot.
Emerging in 2018 as a banking trojan, DanaBot evolved through multiple updates to become an information-stealing loader for other malware attacks. The Russia-based cybercrime organization controlling DanaBot infected over 300,000 computers worldwide, resulting in an estimated $50 million in fraud and ransomware damages, according to the Justice Department.
This successful disruption of a global botnet like DanaBot marks the second major law enforcement takedown of a widespread malware operation in as many days, following the dismantling of the Lumma Stealer infostealer operation.
While two of the 16 accused DanaBot operators, Aleksandr Stepanov, 39, and Artem Kalinkin, 34, from Novosibirsk, Russia, remain at large, the takedown marks a major blow to the group.
DanaBot offered extensive capabilities to cybercriminals, allowing them to hijack banking sessions, and steal credentials, device information, browser histories, and cryptocurrency wallet information. It even gave them full remote access to the victim’s computers to record keystrokes and videos.
CrowdStrike's Adam Meyers, Senior Vice President of Counter Adversary Operations, noted, “It seems like the Russian government had access and was tasking this botnet and using it for espionage purposes. That is like a new level of cooperation and interconnection that I think hasn’t really been publicly disclosed before.” The blend of espionage and cybercrime makes DanaBot unique in the cyber-risk landscape.
Kenneth DeChellis, Special Agent in Charge of the Department of Defense Office of Inspector General, Defense Criminal Investigative Service (DCIS), Cyber Field Office, emphasized the significance of this action, saying, “The enforcement actions announced today, made possible by enduring law enforcement and industry partnerships across the globe, disrupted a significant cyber threat group, who were profiting from the theft of victim data and the targeting of sensitive networks. The DanaBot malware was a clear threat to the Department of Defense and our partners.”
The DanaBot malware posed a serious threat to the Department of Defense and its partners. The FBI’s Anchorage Field Office and DCIS led the investigation, with key support from federal police in Germany, the Netherlands, and Australia, as well as cybersecurity firms like Amazon, CrowdStrike, Google, and others.
A trend of continued global teamwork–for both law enforcement and cyber criminals–has reshaped cybersecurity as we know it. Only a strong, united effort can tackle fast-changing and sophisticated cyber threats.
Do you think our existing protection strategies are falling short? How can they evolve to account for new attack vectors?
Let us know your thoughts in the comments below!
First published on Fri, May 23, 2025
Enjoyed what you read? Great news – there’s a lot more to explore!
Dive into our content repository of the latest tech news, a diverse range of articles spanning introductory guides, product reviews, trends and more, along with engaging interviews, up-to-date AI blogs and hilarious tech memes!
Also explore our collection of branded insights via informative white papers, enlightening case studies, in-depth reports, educational videos and exciting events and webinars from leading global brands.
Head to the TechDogs homepage to Know Your World of technology today!
Disclaimer - Reference to any specific product, software or entity does not constitute an endorsement or recommendation by TechDogs nor should any data or content published be relied upon. The views expressed by TechDogs' members and guests are their own and their appearance on our site does not imply an endorsement of them or any entity they represent. Views and opinions expressed by TechDogs' Authors are those of the Authors and do not necessarily reflect the view of TechDogs or any of its officials. While we aim to provide valuable and helpful information, some content on TechDogs' site may not have been thoroughly reviewed for every detail or aspect. We encourage users to verify any information independently where necessary.
Trending TD NewsDesk
Qualcomm Buys Alphawave For $2.4B To Push AI And Autotalks To Boost V2X Tech
By TechDogs Bureau
IonQ, Nord Quantique And Quantum Brilliance's Moves Amid Threat To Traditional Computing
By TechDogs Bureau
Tesla’s Market Cap Drops $380B & Humanoid Robot Head Quits Amid Robotaxi Records Trouble
By TechDogs Bureau
Anduril Raises $2.5B Amid Partnership With Meta For A U.S. Army AR/VR Project
By TechDogs Bureau
Reddit Lawsuit Comes Amid Anthropic’s New AI Models For U.S. National Security Customers
By TechDogs Bureau
Join Our Newsletter
Get weekly news, engaging articles, and career tips-all free!
By subscribing to our newsletter, you're cool with our terms and conditions and agree to our Privacy Policy.
Join The Discussion