In the last couple of years, the cybersecurity community has started seeing a new family of threats nicknamed “Sponge” malware. These aren’t traditional ransomware or simple stealers. They are designed to quietly soak up as much data and system access as possible over a long period, then exfiltrate or monetize it.
Two variants have become especially prominent: Cybersponge and Greedy Sponge. They share the same basic philosophy but hunt very different targets and use different tactics.
Cybersponge: The Enterprise Soaker
Target profile: Mid-to-large organizations, corporate networks, government agencies, and managed service providers.
Core behavior:
1. Focuses on long-term persistence and broad data collection.
2. Slowly maps the internal network, enumerates Active Directory, steals credentials, and collects documents, emails, and intellectual property.
3. Uses commonly available technology and other standard applications, PowerShell, WMI, RDP, to remain undiscovered.
4. Exfiltration occurs slowly and with minimal data being taken; typically using DNS tunneling or some other legitimate Cloud service (OneDrive, Dropbox, GitHub) to blend in.
Tactics used include:
1. Initial access using a compromised VPN account or phishing with a token theft such as Evilginx.
2. Once inside, it can download (or sponge up) virtually everything: browser sessions, stored passwords, SharePoint files, internal Wiki pages, code repositories, etc.
3. It may remain dormant for weeks or even months, and will only become active when it detects valuable information.
The impact of these attacks is devastating but goes un-noticed for long periods of time, until the victim does see their sensitive information listed on a leak site or sees an enormous amount of very similar intellectual property being used by a competing company.
Greedy Sponge: The Quick-Hit Opportunist
Target profile includes (but not limited to) individuals, small businesses, crypto users, and any other users of financial or personal data.
Core (primary) Behavior:
1. Designed for speed/volume.
2. Targets RS (rewards points) , banking credentials , saved passwords , 2FA backup codes , and clipboard contents.
3. Uses more aggressive techniques like clipboard hijacking , overlay phishing , and (sudden) rapid exfiltration.
Common methods of attack include:
1. Delivered as fake "AI tools", cracked programs, or "viral filter" APKs (for Android).
2. After installing, GN will aggressively monitor the user's clipboard, take screen shots, record their keystrokes, and steal session tokens.
3. Victim data will be sent out rapidly to multiple C2 servers (>10) before the victim realizes an attack has been executed.
Impact: Fast financial loss. Victims often wake up to drained crypto wallets or unauthorized bank transfers. Because it moves quickly, it’s harder to trace after the fact.
Key Differences at a Glance
|
Aspect |
Cybersponge |
Greedy Sponge |
|
Primary Targets |
Enterprises, MSPs, government |
Individuals, crypto users, SMBs |
|
Time Horizon |
Months (long-term espionage) |
Days to weeks (quick hits) |
|
Data Focus |
Broad (documents, AD, IP) |
Narrow & high-value (wallets, creds) |
|
Stealth Level |
Very high (slow & quiet) |
Medium (aggressive but short-lived) |
|
Exfiltration Style |
Low-volume, blended |
Fast, multi-channel |
|
Delivery |
Phishing + token theft |
Fake apps, cracked software |
Why Both Are Dangerous Right Now
Cybersponge represents the patient, professional attacker who wants sustained access and valuable intelligence. Greedy Sponge represents the opportunistic criminal who wants fast cash.
The worrying trend is that both are evolving. Recent samples exhibit a blend of hybridization functionality: the first half of the cycle being a Greedy Sponge for instant gratification, and the second half being a Cybersponge-type behavior if the targeted asset appears to be valuable enough.
Defensive Tactics
1. Individuals should use hardware-based 2FA to protect their accounts, refrain from sideloading applications, and frequently review their connected devices and OAuth applications.
2. Organizations should restrict their networks through segmentation, watch for unusual activity on the Active Directory enumeration, and use behavioral-based EDR rules that identify slow-moving collections of data as attackers try to move data off the targeted systems at an unusually slow rate.
3. All users should treat any free AI-based tool, offline trading bot, or viral filter APK as hazardous.
Cyberaswine and Greedyswine both demonstrate how cybercriminals have improved their abilities to camouflage themselves and remain patient when it benefits them.
The strongest defense is a layered defense; that being both technical controls and a healthy dose of scepticism regarding anything offering free or rapid results.
