Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
Supply Chain Attack
AI Tool GlassWorm malware Open VSX Supply Chain Attack

GlassWorm Abuses 72 Open VSX Extensions in Bold Supply-Chain Assault

 

GlassWorm has resurfaced with a more aggressive supply‑chain campaign, this time weaponizing the Open VSX registry at scale to target developers. Security researchers say the latest wave represents a significant escalation in both scope and stealth compared to earlier activity. 

Since January 31, 2026, at least 72 new malicious Open VSX extensions have been identified, all masquerading as popular tools like linters, formatters, code runners, and AI‑powered coding assistants. These look and behave like legitimate utilities at first glance, making it easy for busy developers to trust and install them. Behind the scenes, however, they embed hidden logic designed to pull in additional malware once inside a development environment.

The attackers now abuse trusted Open VSX features such as extensionPack and extensionDependencies to spread their payloads transitively. An extension can appear harmless on installation but later pull in a malicious dependency via an update or a bundled pack. This approach allows the threat actor to minimize obviously suspicious code in each listing while still maintaining a broad infection path.

Once executed, GlassWorm behaves as a multi‑stage infostealer and remote access tool targeting developer systems. It focuses on harvesting credentials for npm, GitHub, Git, and other services, then uses those stolen tokens to compromise additional repositories and publish more infected extensions. This creates a self‑reinforcing loop that can quickly expand across ecosystems if not promptly contained. 

Beyond credentials, GlassWorm aggressively targets financial data by going after more than 49 different cryptocurrency wallet browser extensions, including popular wallets like MetaMask, Coinbase, and Phantom. Stolen cookies and session tokens can enable account takeover, while drained wallets provide immediate monetization for the attackers. In later stages, the malware deploys a hidden VNC component and SOCKS proxy, effectively converting developer machines into nodes within a criminal infrastructure. 

For developers and organizations, this campaign underscores how extension ecosystems have become high‑value attack surfaces. Teams should enforce strict extension allowlists, monitor unusual repository activity, and rotate credentials if any suspicious Open VSX extensions were recently installed. Security tooling that inspects extension metadata, dependency chains, and post‑install behavior is now essential to counter evolving threats like GlassWorm.
Read more »
zero-day cyberattack
CISA CVE-2025-0282 Ivanti Connect Secure vulnerability malware RESURGE UNC5221 threat actor zero-day cyberattack

CISA Reveals New Details on RESURGE Malware Exploiting Ivanti Zero-Day Vulnerability

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published fresh technical insights into RESURGE, a malicious implant leveraged in zero-day attacks targeting Ivanti Connect Secure appliances through the vulnerability tracked as CVE-2025-0282.

The latest advisory highlights the implant’s ability to remain undetected on affected systems for extended periods. According to CISA, the malware employs advanced network-level evasion and authentication mechanisms that allow attackers to maintain hidden communication channels with compromised devices.

CISA first reported the malware on March 28 last year, noting that it can persist even after system reboots. The implant is capable of creating web shells to harvest credentials, generating new accounts, resetting passwords, and escalating privileges on affected systems.

Security researchers at incident response firm Mandiant revealed that the critical CVE-2025-0282 flaw had been actively exploited as a zero-day vulnerability since mid-December 2024. The campaign has been linked to a China-associated threat actor identified internally as UNC5221.

Network-level evasion techniques

In the updated bulletin, CISA shared additional technical details about the implant. The malware is a 32-bit Linux shared object file named libdsupgrade.so that was recovered from a compromised Ivanti device.

RESURGE functions as a passive command-and-control (C2) implant with multiple capabilities, including rootkit, bootkit, backdoor, dropper, proxying, and tunneling functions.

Unlike typical malware that regularly sends signals to its command server, RESURGE remains idle until it receives a specific inbound TLS connection from an attacker. This behavior helps it avoid detection by traditional network monitoring systems.

When loaded within the ‘web’ process, the implant intercepts the ‘accept()’ function to inspect incoming TLS packets before they reach the web server. It searches for particular connection patterns originating from remote attackers using a CRC32 TLS fingerprint hashing method.

If the fingerprint does not match the expected pattern, the traffic is redirected to the legitimate Ivanti server. CISA also explained that the attackers rely on a fake Ivanti certificate to confirm that they are interacting with the malware implant rather than the genuine web server.

The agency noted that the forged certificate is used strictly for authentication and verification purposes and does not encrypt communication. However, it also helps attackers evade detection by impersonating the legitimate Ivanti service.

Because the fake certificate is transmitted over the internet without encryption, CISA said defenders can potentially use it as a network signature to identify ongoing compromises.

Once the fingerprint verification and authentication steps are completed, attackers establish encrypted remote access to the implant through a Mutual TLS session secured with elliptic curve cryptography.

"Static analysis indicates the RESURGE implant will request the remote actors' EC key to utilize for encryption, and will also verify it with a hard-coded EC Certificate Authority (CA) key," CISA says.

By disguising its traffic to resemble legitimate TLS or SSH communications, the implant maintains stealth while ensuring long-term persistence on compromised systems.

Additional malicious components

CISA also examined another file, a variant of the SpawnSloth malware named liblogblock.so, which is embedded within the RESURGE implant. Its primary role is to manipulate system logs to conceal malicious activities on infected devices.

A third analyzed component, called dsmain, is a kernel extraction script that incorporates the open-source script extract_vmlinux.sh along with the BusyBox collection of Unix/Linux utilities.

The script enables the malware to decrypt, alter, and re-encrypt coreboot firmware images while modifying filesystem contents to maintain persistence at the boot level.

“CISA’s updated analysis shows that RESURGE can remain latent on systems until a remote actor attempts to connect to the compromised device,” the agency notes. Because of this, the malicious implant "may be dormant and undetected on Ivanti Connect Secure devices and remains an active threat."

To address the risk, CISA recommends that administrators review the updated indicators of compromise (IoCs) provided in the advisory to identify potential RESURGE infections and remove the malware from affected Ivanti systems.
Read more »
phishing
AppleChris APT Data malware MemFun phishing

Chinese Threat Actors Attack Southeast Asian Military Targets via Malware


A China-based cyber espionage campaign is targeting Southeast Asian military targets. The state-sponsored campaign started in 2020. 

Palo Alto Networks Unit 42 has been tracking the campaign under the name CL-STA-1087. Here, CL means cluster, and STA means state-backed motivation. 

According to security experts Yoav Zemah and Lior Rochberger, “The activity demonstrated strategic operational patience and a focus on highly targeted intelligence collection, rather than bulk data theft. The attackers behind this cluster actively searched for and collected highly specific files concerning military capabilities, organizational structures, and collaborative efforts with Western armed forces.”

About the campaign

The campaign shows traces commonly linked with APT campaigns, such as defense escape tactics, tailored delivery methods, custom payload deployment, and stable operational infrastructure to aid sustained access to hacked systems.

MemFun and AppleChris

Threat actors used tools such as backdoors called MemFun and AppleChris, and a credential harvester called Getpass. Experts found the hacking tools after finding malicious PowerShell execution that allowed the script to go into a sleep state and then make reverse shells to a hacker-controlled C2 server. Experts don't know about the exact initial access vector. 

About the attack sequence

The compromise sequence deploys AppleChris’ different versions across victim endpoints and moves laterally to avoid detection. Hackers were also found doing searches for joint military activities, detailed assessments of operational capabilities, and official meeting records. The experts said that the “attackers showed particular interest in files related to military organizational structures and strategy, including command, control, communications, computers, and intelligence (C4I) systems.”

MemFun and AppleChris are designed to access a shared Pastebin account that serves as a dead-drop resolver to retrieve the real C2 address in Base64-encoded format. An AppleChris version also depends on Dropbox to fetch the C2 details via the Pastebin approach, kept as a backup option. Installed via DLL hijacking, AppleChris contacts the C2 server to receive commands to perform drive enumeration and related tasks. 

According to Unit 42, “To bypass automated security systems, some of the malware variants employ sandbox evasion tactics at runtime. These variants trigger delayed execution through sleep timers of 30 seconds (EXE) and 120 seconds (DLL), effectively outlasting the typical monitoring windows of automated sandboxes.”

Read more »
VENON
Banking Trojans Brazil DLL hijacking malware VENON

Rust-Based VENON Malware Targets 33 Brazilian Banks

 


A newly identified banking malware strain called VENON is targeting users in Brazil and stands out for an unusual technical choice. Instead of relying on the Delphi programming language used by many long-running Latin American banking trojans, the new threat is written in Rust, a modern systems language that is increasingly appearing in intricately executed cyber operations.

The malware infects Windows machines and was first detected in February 2026. Researchers at the Brazilian cybersecurity firm ZenoX assigned the malware the name VENON after analyzing the threat.

Although it is written in a different programming language, the malware behaves similarly to several well-known banking trojans that have historically targeted financial institutions in Latin America. Analysts say the threat shares operational patterns with malware families such as Grandoreiro, Mekotio, and Coyote. These similarities include techniques like monitoring the active window on a victim’s computer, launching fake login overlays when banking applications open, and hijacking Windows shortcut files to redirect users.

At the moment, investigators have not linked VENON to any previously identified cybercriminal operation. However, forensic examination of an earlier version of the malware dating back to January 2026 revealed traces from the developer’s workstation. File paths embedded in the code repeatedly referenced a Windows user account named “byst4,” which may indicate the environment used during development.

Researchers believe the developer appears to be familiar with how Latin American banking trojans typically operate. However, the implementation in Rust suggests a higher level of technical expertise compared with many traditional banking malware campaigns. Analysts also noted that generative artificial intelligence tools may have been used to help reproduce and expand existing malware capabilities while rewriting them in Rust.

The infection process relies on a multi-stage delivery chain designed to avoid detection. VENON is executed through a technique known as DLL side-loading, where a malicious dynamic-link library runs when a legitimate application loads it. Investigators suspect the campaign may rely on social-engineering tactics similar to the ClickFix method. In this scenario, victims are persuaded to download a ZIP archive that contains the malicious components. A PowerShell script within the archive then launches the malware.

Before performing any harmful actions, the malicious DLL runs several checks designed to evade security tools. Researchers documented nine separate evasion methods. These include detecting whether the malware is running inside a security sandbox, using indirect system calls to avoid monitoring, and bypassing both Event Tracing for Windows (ETW) logging and the Antimalware Scan Interface (AMSI).

After completing these checks, the malware contacts a configuration file hosted on Google Cloud Storage. It then installs a scheduled task on the compromised machine to maintain persistence and establishes a WebSocket connection with a command-and-control server operated by the attackers.

Investigators also identified two Visual Basic Script components embedded in the DLL. These scripts implement a shortcut hijacking mechanism aimed specifically at the Itaú banking application. The technique replaces legitimate shortcuts with manipulated versions that redirect victims to a fraudulent webpage controlled by the threat actor.

The malware even includes an uninstall routine that can reverse these shortcut changes. This feature allows operators to restore the original system configuration, which could help remove evidence of the compromise after an attack.

VENON is configured to monitor activity related to 33 financial institutions and cryptocurrency services. The malware constantly checks the titles of open windows and the domains visited in web browsers. It activates only when a user accesses one of the targeted banking platforms. When triggered, the malware displays fake login overlays designed to capture credentials.

The discovery comes amid a broader wave of campaigns targeting Brazilian users through messaging platforms. Researchers recently observed threat actors exploiting the widespread popularity of WhatsApp in the country to spread a worm known as SORVEPOTEL. The worm spreads through the desktop web version of the messaging service by abusing already authenticated chat sessions to send malicious messages directly to contacts.

According to analysts at Blackpoint Cyber, a single malicious message sent from a compromised SORVEPOTEL session can initiate a multi-stage infection chain. In one observed scenario, the attack eventually deployed the Astaroth threat entirely in system memory.

The researchers noted that the combination of local automation tools, browser drivers operating without supervision, and runtime environments that allow users to write files locally created an environment that made it easier for both the worm and the final malware payload to install themselves with minimal resistance.

Read more »
Proxy
Botnet KadNap Linux malware NTP Proxy

KadNap Malware Compromises Over 14,000 Edge Devices to Operate Hidden Proxy Botnet

 


Cybersecurity researchers have identified a previously undocumented malware strain called KadNap that is primarily infecting Asus routers and other internet-facing networking devices. The attackers are using these compromised systems to form a botnet that routes malicious traffic through residential connections, effectively turning infected hardware into anonymous proxy nodes.

The threat was first observed in real-world attacks in August 2025. Since that time, the number of affected devices has grown to more than 14,000, according to investigators at Black Lotus Labs. A large share of infections, exceeding 60 percent, has been detected within the United States. Smaller groups of compromised devices have also been identified across Taiwan, Hong Kong, Russia, the United Kingdom, Australia, Brazil, France, Italy, and Spain.

Researchers report that the malware uses a modified version of the Kademlia Distributed Hash Table (DHT) protocol. This peer-to-peer networking technology enables the attackers to conceal the true location of their infrastructure by distributing communication across multiple nodes. By embedding command traffic inside decentralized peer-to-peer activity, the operators can evade traditional network monitoring systems that rely on detecting centralized servers.

Within this architecture, infected devices communicate with one another using the DHT network to discover and establish connections with command-and-control servers. This design improves the botnet’s resilience, as it reduces the chances that defenders can disable operations by shutting down a single control point.

Once a router or other edge device has been compromised, the system can be sold or rented through a proxy platform known as Doppelgänger. Investigators believe this service is a rebranded version of another proxy operation called Faceless, which previously had links to TheMoon router malware. According to information published on the Doppelgänger website, the service launched around May or June 2025 and advertises access to residential proxy connections in more than 50 countries, promoting what it claims is complete anonymity for users.

Although many of the observed infections involve Asus routers, researchers found that the malware operators are also capable of targeting a wider range of edge networking equipment.

The attack chain begins with the download of a shell script named aic.sh, retrieved from a command server located at 212.104.141[.]140. This script initiates the infection process by connecting the compromised device to the botnet’s peer-to-peer network.

To ensure the malware remains active, the script establishes persistence by creating a cron task that downloads the same script again at the 55-minute mark of every hour. During this process, the file is renamed “.asusrouter” and executed automatically.

After persistence is secured, the script downloads an ELF executable, renames it “kad,” and runs it on the device. This program installs the KadNap malware itself. The malware is capable of operating on hardware that uses ARM and MIPS processor architectures, which are commonly found in routers and networking appliances.

KadNap also contacts a Network Time Protocol (NTP) server to retrieve the current system time and store it along with the device’s uptime. These values are combined to produce a hash that allows the malware to identify and connect with other peers within the decentralized network, enabling it to receive commands or download additional components.

Two additional files used during the infection process, fwr.sh and /tmp/.sose, contain instructions that close port 22, which is the default port used by Secure Shell (SSH). These files also extract lists of command server addresses in IP-address-and-port format, which the malware uses to establish communication with control infrastructure.

According to researchers, the use of the DHT protocol provides the botnet with durable communication channels that are difficult to shut down because its traffic blends with legitimate peer-to-peer network activity.

Further examination revealed that not every infected device communicates with every command server. This suggests the attackers are segmenting their infrastructure, possibly grouping devices based on hardware type or model.

Investigators also noted that routers infected with KadNap may sometimes contain multiple malware infections simultaneously. Because of this overlap, it can be challenging to determine which threat actor is responsible for particular malicious activity originating from those systems.

Security experts recommend that individuals and organizations operating small-office or home-office (SOHO) routers take several precautions. These include installing firmware updates, restarting devices periodically, replacing default administrator credentials, restricting management access, and replacing routers that have reached end-of-life status and no longer receive security patches.

Researchers concluded that KadNap’s reliance on a peer-to-peer command structure distinguishes it from many other proxy-based botnets designed to provide anonymity services. The decentralized approach allows operators to remain hidden while making it significantly harder for defenders to detect and block the network.

In a separate report, security analysts at Cyble disclosed a new Linux malware threat named ClipXDaemon.

The malware targets cryptocurrency users by intercepting wallet addresses that victims copy to their clipboard and secretly replacing them with addresses controlled by attackers. This type of threat is commonly known as clipper malware.

ClipXDaemon is distributed through a Linux post-exploitation framework called ShadowHS and has been described as an automated clipboard-hijacking tool designed specifically for systems running Linux X11 graphical environments.

The malware operates entirely in memory, which reduces traces on disk and improves its ability to remain undetected. It also employs several stealth techniques, including disguising its process names and deliberately avoiding execution in Wayland sessions.

This design choice is intentional because Wayland’s security architecture introduces stricter restrictions on clipboard access. Applications must usually involve explicit user interaction before they can read clipboard contents. By disabling itself when Wayland is detected, the malware avoids triggering errors or suspicious behavior.

Once active in an X11 session, ClipXDaemon continuously checks the system clipboard every 200 milliseconds. If it detects a copied cryptocurrency wallet address, it immediately substitutes it with an attacker-controlled address before the victim pastes the information.

The malware currently targets a wide range of digital currencies, including Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON.

Researchers noted that ClipXDaemon differs significantly from traditional Linux malware families. It does not include command-and-control communication, does not send beaconing signals to remote servers, and does not rely on external instructions to operate.

Instead, the malware generates profits directly by manipulating cryptocurrency transactions in real time, silently redirecting funds when victims paste compromised wallet addresses during transfers.

Read more »
malware
Android Anthropic Artificial Inteligence Firefox malware

Anthropic AI Model Finds 22 Security Flaws in Firefox

 

Anthropic said its artificial intelligence model Claude Opus 4.6 helped uncover 22 previously unknown security vulnerabilities in the Firefox web browser as part of a collaboration with the Mozilla. 

The company said the issues were discovered during a two week analysis conducted in January 2026. 

The findings include 14 vulnerabilities rated as high severity, seven categorized as moderate and one considered low severity. 

Most of the flaws were addressed in Firefox version 148, which was released late last month, while the remaining fixes are expected in upcoming updates. 

Anthropic said the number of high severity bugs discovered by its AI model represents a notable share of the browser’s serious vulnerabilities reported over the past year. 

During the research, Claude Opus 4.6 scanned roughly 6,000 C++ files in the Firefox codebase and generated 112 unique vulnerability reports. 

Human researchers reviewed the results to confirm the findings and rule out false positives before reporting them. One issue identified by the model involved a use-after-free vulnerability in Firefox’s JavaScript engine. 

According to Anthropic, the AI located the flaw within about 20 minutes of examining the code, after which a security researcher validated the finding in a controlled testing environment. 

Researchers also tested whether the AI model could go beyond identifying flaws and attempt to build exploits from them. Anthropic said it provided Claude access to the list of vulnerabilities reported to Mozilla and asked it to develop working exploits. 

After hundreds of test runs and about $4,000 worth of API usage, the model succeeded in producing a working exploit in only two cases. 

Anthropic said the results suggest that finding vulnerabilities may be easier for AI systems than turning those flaws into functioning exploits. 

“However, the fact that Claude could succeed at automatically developing a crude browser exploit, even if only in a few cases, is concerning,” the company said. 

It added that the exploit tests were performed in a restricted research environment where some protections, such as sandboxing, were deliberately removed. 

One exploit generated by the model targeted a vulnerability tracked as CVE-2026-2796, which involves a miscompilation issue in the JavaScript WebAssembly component of Firefox’s just-in-time compilation system. 

Anthropic said the testing process included a verification system designed to check whether the AI-generated exploit actually worked. 

The system provided real-time feedback, allowing the model to refine its attempts until it produced a functioning proof of concept. The research comes shortly after Anthropic introduced Claude Code Security in a limited preview. 

The tool is designed to help developers identify and fix software vulnerabilities with the assistance of AI agents. Mozilla said in a separate statement that the collaboration produced additional findings beyond the 22 vulnerabilities. 

According to the company, the AI-assisted analysis uncovered about 90 other bugs, including assertion failures typically identified through fuzzing as well as logic errors that traditional testing tools had missed. 

“The scale of findings reflects the power of combining rigorous engineering with new analysis tools for continuous improvement,” Mozilla said. 

“We view this as clear evidence that large-scale, AI-assisted analysis is a powerful new addition to security engineers’ toolbox.”
Read more »
Pakistan threat group
AI cyber espionage Hackers malware Malware Campaign Pakistan threat group

Pakistan-Linked Hackers Use AI to Flood Targets With Malware in India Campaign

 

A Pakistan-aligned hacking group known as Transparent Tribe is using artificial intelligence coding tools to produce large numbers of malware implants in a campaign primarily targeting India, according to new research from cybersecurity firm Bitdefender. 

Security researchers say the activity reflects a shift in how some threat actors are developing malicious software. Instead of focusing on highly advanced malware, the group appears to be generating a large volume of implants written in multiple programming languages and distributed across different infrastructure. 

Researchers said the operation is designed to create a “high-volume, mediocre mass of implants” using less common languages such as Nim, Zig and Crystal while relying on legitimate platforms including Slack, Discord, Supabase and Google Sheets to help evade detection. 

“Rather than a breakthrough in technical sophistication, we are seeing a transition toward AI-assisted malware industrialization that allows the actor to flood target environments with disposable, polyglot binaries,” Bitdefender researchers said in a technical analysis of the campaign. 

The strategy involves creating numerous variations of malware rather than relying on a single sophisticated tool. Bitdefender described the approach as a form of “Distributed Denial of Detection,” where attackers overwhelm security systems with large volumes of different binaries that use various communication protocols and programming languages. 

Researchers say large language models have lowered the barrier for threat actors by allowing them to generate working code in unfamiliar languages or convert existing code into different formats. 

That capability makes it easier to produce large numbers of malware samples with minimal expertise. 

The campaign has primarily targeted Indian government organizations and diplomatic missions abroad. 

Investigators said the attackers also showed interest in Afghan government entities and some private businesses. According to the analysis, the attackers use LinkedIn to identify potential targets before launching phishing campaigns. 

Victims may receive emails containing ZIP archives or ISO images that include malicious Windows shortcut files. In other cases, victims are sent PDF documents that include a “Download Document” button directing them to attacker-controlled websites. 

These websites trigger the download of malicious archives. Once opened, the shortcut file launches PowerShell scripts that run in memory. 

The scripts download a backdoor and enable additional actions inside the compromised system. Researchers said attackers sometimes deploy well-known adversary simulation tools such as Cobalt Strike and Havoc to maintain access. 

Bitdefender identified a wide range of custom tools used in the campaign. These include Warcode, a shellcode loader written in Crystal designed to load a Havoc agent into memory, and NimShellcodeLoader, which deploys a Cobalt Strike beacon. 

Another tool called CreepDropper installs additional malware, including SHEETCREEP, a Go-based information stealer that communicates with command servers through Microsoft Graph API, and MAILCREEP, a backdoor written in C# that uses Google Sheets for command and control. 

Researchers also identified SupaServ, a Rust-based backdoor that communicates through the Supabase platform with Firebase acting as a fallback channel. The code includes Unicode emojis, which researchers said suggests it may have been generated with the help of AI. 

Additional malware used in the campaign includes CrystalShell and ZigShell, backdoors written in Crystal and Zig that can run commands, collect host information and communicate with command servers through platforms such as Slack or Discord. 

Other tools observed in the operation include LuminousStealer, a Rust-based information stealer that exfiltrates files to Firebase and Google Drive, and LuminousCookies, which extracts cookies, passwords and payment information from Chromium-based browsers. 

Bitdefender said the attackers are also using utilities such as BackupSpy to monitor file systems for sensitive data and ZigLoader to decrypt and execute shellcode directly in memory. Despite the large number of tools involved, researchers say the overall quality of the malware is often inconsistent. 

“The transition of APT36 toward vibeware represents a technical regression,” Bitdefender said, referring to the Transparent Tribe group. “While AI-assisted development increases sample volume, the resulting tools are often unstable and riddled with logical errors.” 

Still, the researchers warned that the broader trend could make cyberattacks easier to scale. By combining AI-generated code with trusted cloud services, attackers can hide malicious activity within normal network traffic. 

“We are seeing a convergence of two trends that have been developing for some time the adoption of exotic programming languages and the abuse of trusted services to hide in legitimate traffic,” the researchers said. 

They added that this combination allows even relatively simple malware to succeed by overwhelming traditional detection systems with sheer volume.
Read more »
Tropic Trooper
cyber attack malware Salt Typhoon Telco Tropic Trooper

China Based Hackers Attack Telco With New Malware


A China-based advanced persistent cyber criminal tracked as UAT-9244 has been attacking telecommunication service providers in South America since 2024. Threat actor attacks Linux, Windows, and network-edge devices. 

Cisco Talos researchers said that the hacker is related to the Tropic Trooper and FamousSparrow hacker groups, but it is tracked as a different activity cluster.

According to the experts, UAT-9244 shares the same victim profile as Salt Typhoon, but they are failing to find a link between the two security clusters.

New malware attacking telco networks

The experts found that the campaign used three previously unknown malware families: PeerTime, a Linux backdoor that employs BitTorrent; TernDoor, a Windows backdoor; and BruteEntry, a brute-force scanner that makes proxy infrastructure (ORBs).

About TernDoor

TernDoor is installed via DLL side-loading through the authentic executable wsprint.exe to deploy malicious code from BugSplatRc64.dll, which decodes and runs the final payload in memory (inserted inside msiexec.exe).

The malware consists of a WSPrint.sys, an embedded Windows driver, which is used for terminating, suspending, and resuming processes.

Persistence is gained through Windows Registry modifications and scheduled tasks, which also hide the scheduled task. Besides this, TernDoor runs commands through a remote shell, executes arbitrary processes, collects system data, reads/writes files, and self-deletes.

About PeerTime

PeerTime is an ELF Linux backdoor that attacks various architectures (MIPS, ARM, AARCH, PPC), hinting that it was made to attack a wide range of embedded systems and network devices.

Cisco Talos found the variants for PeerTime. The first variant is written in C/C++, and the second is based on Rust. The experts also found a Simplified Chinese debug string inside the instrumentor binary, which may be its source. The payload is decoded and installed in memory, and its process is renamed to look real.

About BruteEntry

Lastly, there is BruteEntry, which consists of a brute-forcing component and a Go-based instrumentor binary. Its function is to transform compromised devices into Operational Relay Boxes (ORBs), which are scanning nodes.

The attacker brute-forces SSH, PostgreSQL, and Tomcat by using workstations running BruteEntry to search for new targets. The C2 receives the results of the login attempt along with the task status and notes.

Read more »
Passaic County
IT Systems malware New Jersey Passaic County

Malware Attack Cripples Passaic County Phones and IT Systems

 

A malware attack has disrupted government services in Passaic County, New Jersey, knocking out key IT systems and phone lines that serve nearly 600,000 residents across the region. Officials say they are working with state and federal partners to investigate the incident and restore critical communications as quickly as possible.

The disruption began midweek, when county phones suddenly stopped working and a service alert warned that all lines were “currently down,” leaving residents unable to reach many government offices by telephone. The outage has extended beyond a brief glitch, with phone issues lingering into the following day as technical teams assess the scope of the compromise. In public statements, the county has confirmed that a malware attack is affecting its IT infrastructure and impacting phone lines but has released few technical details about the nature of the malicious software involved. 

Passaic County leaders emphasize that they are collaborating closely with both federal and state authorities to investigate and contain the attack, reflecting growing concern over cyber threats to local government systems. Agencies are working to determine how attackers gained access, what systems were affected, and whether any data was stolen, altered, or encrypted.Officials have not yet said whether emergency services such as 911 or dispatch operations were impacted, nor have they confirmed if any personal information of residents has been compromised.

This incident comes amid a broader wave of cyberattacks targeting smaller municipalities and public institutions, as criminals shift focus away from the larger metropolitan governments and corporations that hardened their defenses in recent years. Experts note that local governments often rely on aging infrastructure and limited cybersecurity resources, making them appealing targets for malware campaigns that can disrupt daily operations for thousands of residents. Recent attacks on other New Jersey jurisdictions and hospitals across the country have led to extended outages, raising alarms about the resilience of public services in the face of persistent digital threats.

For Passaic County residents, the immediate impact is practical and personal: difficulty reaching county offices, confusion about service availability, and uncertainty over potential exposure of sensitive data. Authorities have urged patience as investigations continue and pledged to share updates once systems are fully restored and more is known about the attack’s origin and impact.The episode underscores the need for stronger cybersecurity investments at the local level, from securing phone and network infrastructure to training staff against phishing and other common malware entry points.
Read more »
Windows
AI BadPaw Cloud Data malware Windows

BadPaw Malware Targets Uranian Systems


A newly found malware campaign exploiting a Ukrainian email service to build trust has been found by cybersecurity experts. 

About the campaign 

The operation starts with an email sent from an address hosted on ukr[.]net, a famous Ukrainian provider earlier exploited by the Russia based hacking group APT28 in older campaigns.

BadPaw malware 

Experts at ClearSky have termed the malware “BadPaw.” The campaign starts when a receiver opens a link pretending to host a ZIP archive. Instead of starting a direct download, the target is redirected to a domain that installs a tracking pixel, letting the threat actor to verify engagement. Another redirect sends the ZIP file. 

The archive pretends to consist of a standard HTML file, but ClearSky experts revealed that it is actually an HTA app in hiding. When deployed, the file shows a fake document related to a Ukrainian government border crossing request, where malicious processes are launched in the background. 

Attack tactic 

Before starting, the malware verifies a Windows Registry key to set the system's installation date. If the OS is older than ten days, deployment stops, an attack tactic that escapes sandbox traps used by threat analysts. 

If all the conditions are fulfilled, the malware looks for the original ZIP file and retrieves extra components. The malware builds its persistence via a scheduled task that runs a VBS script which deploys steganography to steal hidden executable code from an image file. 

Only nine antivirus engines could spot the payload at the time of study. 

Multi-Layered Attack

After activation within a particular parameter, BadPaw links to a C2 server. 

The following process happens:

Getting a numeric result from the /getcalendar endpoint. 

Gaining access to a landing page called "Telemetry UP!” through /eventmanager. 

Downloading the ASCII-encoded payload information installed within HTML. 

In the end, the decrypted data launches a backdoor called "MeowMeowProgram[.]exe," which offers file system control and remote shell access. 

Four protective layers are included in the MeowMeow backdoor: runtime parameter constraints, obfuscation of the.NET Reactor, sandbox detection, and monitoring for forensic tools like Wireshark, Procmon, Ollydbg, and Fiddler.

Incorrect execution results in a benign graphical user interface with a picture of a cat. The "MeowMeow" button only displays a harmless message when it is clicked.

Read more »
malware
ATM jackpotting Bank Security FBI Financial crime malware

ATM Jackpotting Malware Triggers Record Global ATM Heists in 2025

 

ATM jackpotting attacks surged dramatically in 2025, with cybercriminals using specialized malware to force cash machines to spit out money on command, often without touching any customer account. This new wave of attacks exposed serious weaknesses in how banks protect the physical and digital components of their ATM fleets. 

According to FBI figures, there have been about 1,900 reported ATM jackpotting cases in the United States since 2020, and more than 700 of those incidents occurred in 2025 alone, causing over 20 million dollars in losses. The attacks rely heavily on malware families such as Ploutus, which has been around for over a decade but continues to evolve. Instead of targeting customer accounts, Ploutus directly compromises the ATM’s operating system, allowing crooks to drain cassettes in minutes before anyone notices something is wrong. 

To execute a jackpotting operation, attackers first need physical access to the machine’s internals. The FBI notes that gangs often use widely available “generic” keys to open the service panel, then remove or connect to the hard drive or USB ports. Once inside, they either load malware onto the existing drive or swap in a pre‑infected disk that boots a compromised operating system capable of issuing unauthorized dispense commands. In many cases, a mule returns later, enters a secret code or connects a device, and collects the cash as the ATM empties itself.

What makes these operations so dangerous is that the malware can bypass normal bank authorization checks and trigger cash withdrawals without a card, PIN, or even a linked account.Because the machine behaves as if it is performing legitimate transactions, banks often only discover the theft after reconciling cash levels and seeing large, unexplained shortages. The U.S. Justice Department has already charged dozens of suspects in jackpotting schemes, including crews tied to transnational criminal groups accused of stealing millions of dollars from victim banks and credit unions. 

In response, the FBI and regulators are urging financial institutions and ATM operators to harden both physical and software defenses. Recommended steps include replacing standard locks, reinforcing ATM cabinets, keeping systems fully patched, and closely monitoring machines for signs of tampering or unexpected restarts. As 2026, ATM jackpotting has become a priority threat for the banking sector, underlining the need for continuous security upgrades and better coordination between banks, law enforcement, and cybersecurity teams.
Read more »
VNC Remote Access
Accessibility Service Exploit AI DrivenMalware Android Malware Android Security Threats Cyber Threats Gemini AI Abuse malware Mobile Banking Phishing VNC Remote Access

Google Responds After Reports of Android Malware Leveraging Gemini AI



There has been a steady integration of artificial intelligence into everyday digital services that has primarily been portrayed as a story of productivity and convenience. However, the same systems that were originally designed to assist users in interpreting complex tasks are now beginning to appear in much less benign circumstances. 


According to security researchers, a new Android malware strain appears to be woven directly into Google's Gemini AI chatbot, which seems to have a generative AI component. One of the most noteworthy aspects of this discovery is that it marks an unusual development in the evolution of mobile threat evolution, as a tool that was intended to assist users with problems has been repurposed to initiate malicious software through the user interface of a victim's device.

In real time, the malware analyzes on-screen activity and generates contextual instructions based on it, demonstrating that modern AI systems can serve as tactical enablers in cyber intrusions. As a result of the adaptive nature of malicious applications, traditional automated scripts rarely achieve such levels of adaptability. 

It has been concluded from further technical analysis that the malware, known as PromptSpy by ESET, combines a variety of established surveillance and control mechanisms with an innovative layer of artificial intelligence-assisted persistence. 

When the program is installed on an affected device, a built-in virtual network computing module allows operators to view and control the compromised device remotely. While abusing Android's accessibility framework, this application obstructs users from attempting to remove the application, effectively interfering with user actions intended to terminate or uninstall it. 

Additionally, malicious code can harvest lock-screen information, collect detailed device identifiers, take screenshots, and record extended screen activity as video while maintaining encrypted communications with its command-and-control system. 


According to investigators, the campaign is primarily motivated by financial interests and has targeted heavily on Argentinian users so far, although linguistic artifacts within the code base indicate that the development most likely took place in a Chinese-speaking environment. However, PromptSpy is characterized by its unique implementation of Gemini as an operational aid that makes it uniquely unique. 

A dynamic interpretation of the device interface is utilized by the malware, instead of relying on rigid automation scripts that simulate taps at predetermined coordinates, an approach that frequently fails across different versions or interface layouts of Android smartphones. It transmits a textual prompt along with an XML representation of the current screen layout to Gemini, thereby providing a structured map of the visible buttons, text labels, and interface elements to Gemini. 

Once the chatbot has returned structured JSON instructions which indicate where interaction should take place, PromptSpy executes those instructions and repeats the process until the malicious application has successfully been anchored in the recent-apps list. This reduces the likelihood that the process may be dismissed by routine user gestures or management of the system. 


ESET researchers noted that the malware was first observed in February 2026 and appears to have evolved from a previous strain known as VNCSpy. The operation is believed to selectively target regional victims while maintaining development infrastructure elsewhere by uploading samples from Hong Kong, before later variants surface in Argentina. 

It is not distributed via official platforms such as Google Play; instead, victims are directed to a standalone website impersonating Chase Bank's branding by using identifiers such as "MorganArg." In addition, the final malware payload appears to be delivered via a related phishing application, thought to be originated by the same threat actor. 

Even though the malicious software is not listed on the official Google Play store, analysts note that Google Play Protect can detect and block known versions of the threat after they are identified. This interaction loop involves the AI model interpreting the interface data and returning structured JSON responses that are utilized by the malware for operational guidance. 

The responses specify both the actions that should be performed-such as simulated taps-as well as the exact interface element on which they should occur. By following these instructions, the malicious application is able to interact with system interfaces without direct user input, by utilizing Android's accessibility framework. 

Repeating the process iteratively is necessary to secure the application's position within the recent apps list of the device, a state that greatly complicates efforts to initiate task management or routine gestures to terminate the process. 

Gemini assumes the responsibility of interpreting the interface of the malware, thereby avoiding the fragility associated with fixed automation scripts. This allows the persistence routine to operate reliably across a variety of screen sizes, interface configurations, and Android builds. Once persistence is achieved, the operation's main objective becomes evident: establishing sustained remote access to the compromised device. 

By deploying a virtual network computing component integrated with PromptSpy, attackers have access to a remote monitor and control of the victim's screen in real time via the VNC protocol, which connects to a hard-coded command-and-control endpoint and is controlled remotely by the attacker infrastructure. 

Using this channel, the malware is able to retrieve operational information, such as the API key necessary to access Gemini, request screenshots on demand, or initiate continuous screen recording sessions. As part of this surveillance capability, we can also intercept highly sensitive information, such as lock-screen credentials, such as passwords and PINs, and record pattern-based unlock gestures. 

The malware utilizes Android accessibility services to place invisible overlays across portions of the interface, which effectively prevents users from uninstalling or disabling the application. As a result of distribution analysis, it appears the campaign uses a multi-stage delivery infrastructure rather than an official application marketplace for delivery. 


Despite never appearing on Google Play, the malware has been distributed through a dedicated website that distributes a preliminary dropper application instead. As soon as the dropper is installed, a secondary page appears hosted on another domain which mimics JPMorgan Chase's visual identity and identifies itself as MorganArg. Morgan Argentina appears to be the reference to the dropper. 

In the interface, victims are instructed to provide permission for installing software from unknown sources. Thereafter, the dropper retrieves a configuration file from its server and quietly downloads it. According to the report, the file contains instructions and a download link for a second Android package delivered to the victim as if it were a routine application update based on Spanish-language prompts. 

Researchers later discovered that the configuration server was no longer accessible, which left the specific distribution path of the payload unresolved. Clues in the malware’s code base provide additional insight into the campaign’s origin and targeting strategy. Linguistic artifacts, including debug strings written in simplified Chinese, suggest that Chinese-speaking operators maintained the development environment. 

Furthermore, the cybersecurity infrastructure and phishing material used in the operation indicate an interest in Argentina, which further supports the assessment that the activity is not espionage-related but rather financially motivated. It is also noted that PromptSpy appears to be a result of the evolution of a previously discovered Android malware strain known as VNCSpy, the samples of which were first submitted from Hong Kong to VirusTotal only weeks before the new variant was identified.

In addition to highlighting an immediate shift in the technical design of mobile threats, the discovery also indicates a broader shift. It is possible for attackers to automate interactions that would otherwise require extensive manual scripting and constant maintenance as operating systems change by outsourcing interface interpretation to a generative artificial intelligence system. 

Using this approach, malware can respond dynamically to changes in interfaces, device models, and regional system configurations by changing its behavior accordingly. Additionally, PromptSpy's persistence technique complicates remediation, since invisible overlays can obstruct victims' ability to access the uninstall controls, thereby further complicating remediation. 

In many cases, the only reliable way to remove the application is to restart the computer in Safe Mode, which temporarily disables third-party applications, allowing them to be removed without interruption. As security researchers have noted, PromptSpy's technique indicates that Android malware development is heading in a potentially troubling direction. 

By feeding an image of the device interface to artificial intelligence and receiving precise interaction instructions in return, malicious software gains an unprecedented degree of adaptability and efficiency not seen in traditional mobile threats. 

It is likely that as generative models become more deeply ingrained into consumer platforms, the same interpretive capabilities designed to assist users may be increasingly repurposed by threat actors who wish to automate complicated device interactions and maintain long-term control over compromised systems. 

Security practitioners and everyday users alike should be reminded that defensive practices must evolve to meet the changing technological landscape. As a general rule, analysts recommend installing applications only from trusted marketplaces, carefully reviewing accessibility permission requests, and avoiding downloads that are initiated by unsolicited websites or update prompts. 

The use of Android security updates and Google Play Protect can also reduce exposure to known threats as long as the protections remain active. Research indicates that, as tools such as Gemini are increasingly being used in malicious workflows, it signals an inflection point in mobile security, which may lead to a shift in both the offensive and defensive sides of the threat landscape as artificial intelligence becomes more prevalent. 

It is likely that in order to combat the next phase of adaptive Android malware, the industry will have to strengthen detection models, improve behavioural monitoring, and tighten controls on high-risk permissions.
Read more »
ZIP File
DLL Domain malware Malware Trojan Website ZIP File

Fake FileZilla Website Distributes Malware-Infected Download

 



A fraudulent website is distributing a modified portable edition of FileZilla version 3.69.5 that contains embedded malware. The archive appears legitimate and includes the authentic open-source FTP client, but attackers inserted one additional file, a rogue dynamic-link library named version.dll, before repackaging and circulating it online.

When users download this altered ZIP file, extract it, and launch filezilla.exe, Windows follows its standard DLL loading order. The operating system checks the application’s own directory before referencing system libraries stored in C:\Windows\System32. Because the malicious version.dll is placed inside the FileZilla folder, Windows loads it first. From that moment, the malicious code executes within the legitimate FileZilla process.

This method relies on a long-established Windows behavior known as DLL search order hijacking. It does not involve a vulnerability in FileZilla itself. Instead, the compromise depends on users downloading the installer from an unofficial domain such as filezilla-project[.]live, which imitates the legitimate project site. The attack spreads through deception, including lookalike domains and search engine manipulation, rather than automated self-propagation.


Archive Examination Reveals a Single Suspicious File

The compromised archive contains 918 files. Among them, 917 entries show a last-modified date of 2025-11-12, consistent with the authentic portable release of FileZilla 3.69.5. One file differs: version.dll carries a timestamp of 2026-02-03, nearly three months newer than the rest.

A genuine portable distribution of FileZilla does not include version.dll. Legitimate libraries in the package typically include files such as libfilezilla-50.dll and libfzclient-private-3-69-5.dll. The Windows Version API library normally resides inside the operating system directory and has no reason to be bundled with FileZilla. Its inclusion forms the basis of the compromise.


The SHA-256 hash of the trojanized archive is:

665cca285680df321b63ad5106b167db9169afe30c17d349d80682837edcc755

The SHA-256 hash of the malicious version.dll is:

e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4


Execution Behavior Observed on a Live System

Monitoring the application with Process Monitor confirms the sideloading sequence. When filezilla.exe starts, Windows attempts to load required libraries. For files such as IPHLPAPI.DLL and POWRPROF.dll, the application directory does not contain a copy, producing “NAME NOT FOUND.” Windows then retrieves legitimate versions from the system directory.

For version.dll, however, the malicious copy is present locally. Windows maps it into memory without consulting System32. The attacker’s code now operates inside the trusted application process.

Approximately 17 milliseconds after loading, the malicious DLL attempts to locate version_original.dll in the same directory. The lookup fails. This pattern suggests DLL proxying, where attackers forward legitimate function calls to a renamed original library to preserve application stability. In this case, the renamed library was not included, which may explain abrupt application termination during testing.

FileZilla invokes LoadLibrary using only the file name rather than a full system path. While common in Windows software design, this practice enables directory-based DLL substitution.


Anti-Analysis Checks and Network Communication

Before activating its main payload, the DLL performs environmental checks. These include BIOS version inspection, system manufacturer queries, probing for VirtualBox registry keys, disk enumeration, memory allocation using write-watch techniques, and delayed execution loops. These checks aim to detect virtual machines or sandbox environments.

If the system appears genuine, the malware initiates encrypted domain resolution using DNS-over-HTTPS. It sends the following request to Cloudflare’s public resolver:

https://1.1.1.1/dns-query?name=welcome.supp0v3[.]com&type=A

Using HTTPS for DNS queries prevents traditional monitoring systems that rely on port 53 inspection from detecting the request.

After resolving the domain, the malware contacts:

https://welcome.supp0v3.com/d/callback?utm_tag=tbs2&utm_source=dll

Memory inspection revealed the embedded configuration:

{ "tag":"tbs", "referrer":"dll", "callback":"https://welcome.supp0v3.com/d/callback?utm_tag=tbs2&utm_source=dll" }

The UTM-style parameters suggest structured tracking of distribution channels.

The malware also attempts connections to 95.216.51[.]236 over TCP port 31415, a non-standard port. Ten connection attempts were recorded across two sessions, indicating retry logic designed to maintain communication.


Additional Capabilities Identified

Automated behavioral analysis indicated potential FTP credential harvesting. Because FileZilla stores connection details locally, unauthorized access could expose remote servers and hosting accounts. Other flagged behaviors included:

• Creation of suspended processes with memory injection

• Runtime .NET compilation using csc.exe

• Registry modifications consistent with persistence mechanisms

• Calls to Windows encryption-related APIs

These behaviors indicate functionality beyond simple credential theft, potentially including persistence and process manipulation.


Defensive Guidance

Users should download FileZilla exclusively from the official domain filezilla-project.org and verify the published hash values before execution. Portable installations should not contain version.dll. Its presence signals compromise.

Monitor outbound HTTPS traffic to public DNS resolvers such as 1.1.1.1 or 8.8.8.8 from non-browser applications. Review ZIP archive timestamps for inconsistencies before running software. Block the identified domains and IP address at the network perimeter if detected.

Malwarebytes reports detection and blocking of known variants of this threat.


Indicators of Compromise (IOCs)

• SHA-256 Hashes

665cca285680df321b63ad5106b167db9169afe30c17d349d80682837edcc755    FileZilla_3.69.5_win64.zip

e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4 — version.dll

• Domains

filezilla-project[.]live

welcome.supp0v3[.]com

• Network Indicator

95.216.51[.]236:31415


Read more »
Screen Overlay Attack
Accessibility Service Abuse Digital Identity Theft IPTV Malware Campaign malware Mobile Banking Trojan Mobile Cybersecurity Threats Screen Overlay Attack

New Massiv Malware Targets Android Banking Users Through Fake IPTV App


 

As a result of the convenience of mobile streaming, user behavior has quietly been reshaped, normalizing the practice of downloading applications outside of official app marketplaces that have been guarded. In this gray area of digital consumption, a recently discovered Android banking Trojan known as Massiv has begun to circulate, resulting in an alert to security researchers. 

A malware program disguised as an IPTV application and distributed by convincingly crafted third-party websites capitalizes on a routine that many users no longer question as a threat. Instead of providing a shortcut to premium or region-locked entertainment, cybercriminals are now using this shortcut as a conduit for financial intrusion, illustrating how cybercriminals are evolving in concert with changing consumer trends. 

A subsequent technical analysis conducted by the ThreatFabric mobile threat intelligence team revealed that Massiv incorporates a multilayered attack framework designed to bypass contemporary mobile security safeguards. In addition to intercepting user input, the Trojan uses keylogging capabilities to capture authenticating credentials in real time through screen overlay techniques. 

In Portugal, it primarily targets two critical applications, a government service platform and an accompanying digital authentication infrastructure known as Chave Móvel Digital. The Massive product embeds itself within the Accessibility Service and extracts structured interface data, including visible text strings, user interface element identifiers, screen coordinates, and interaction metadata, enabling operators to reconstruct user sessions without relying solely upon traditional screen capture techniques.

According to researchers, this secondary data extraction method is particularly useful against banking and communication applications with screen recording restrictions, effectively neutralizing a common defensive control. 

By collecting credentials and identity information, threat actors can go beyond immediate account compromise with their harvested credentials and identity data. As a result of investigations, fraudulent financial accounts were opened by investigators on behalf of victims across institutions where they had never previously engaged. 

Once these newly established accounts are fully controlled by the attackers, they are integrated into broader financial abuse schemes, facilitating illicit fund transfers, loan applications and structured cash outs.

It is important to note that the effect of the theft extends beyond temporary account access; victims may be exposed to long-term financial responsibilities linked to accounts and debts they did not authorize or recognize, thus illustrating a shift from opportunistic theft to systematic exploitation of people's identities. 

Throughout Massiv's architecture, surveillance, deception, and remote manipulation techniques are combined to achieve sustained control over compromised devices through deliberate convergence. By deploying screen overlays mimicking legitimate login interfaces, the malware attempts to harvest credentials unknowingly, prompting users to provide their authentication information into attacker-controlled forms.

The embedded keylogging functionality allows for the collection of credentials and other sensitive data in real time by capturing typed inputs. Beyond these conventional banking Trojan features, Massiv provides two advanced operating modes that substantially expand its capabilities, including live screen streaming using Android’s MediaProjection API and detailed user interface mapping using Accessibility Services. 

Using the latter mechanism, operators are able to extract structured UI-tree information, such as visible text, interface identifiers, and precise screen coordinates. By using this intelligence, attackers can simulate user interactions remotely, executing clicks, modifying fields, and navigating applications as if they held the device physically. 

According to researchers, this approach effectively circumvents screen-capture restrictions commonly employed by banking and secure messaging applications, thereby undermining a control widely relied upon to prevent session hijacking and visual data leakage. Distributing tactics demonstrate an adaptive approach to user behavior in addition. 

Researchers have observed a sustained increase in malware campaigns packaged within alleged IPTV streaming applications in recent months. Threat actors take advantage of the established pattern of off-store installation, as many of these streaming platforms operate in legal grey areas and can be obtained via sideloaded APK files rather than through official marketplaces. 

It is possible that the IPTV application has been developed entirely, serving primarily as a dropper for Massiv deployment. It is also possible that the application loads an authentic IPTV website within a WebView environment to maintain the appearance of legitimacy, while executing the malicious payload in the background. 

As a result of the geographical focus and scalability of the operation, activities have been largely concentrated in Spain, Portugal, France and Turkey. In the broader context, the implication is that contemporary banking malware has evolved far beyond simple credential interception campaigns, pursuing comprehensive identity takeover campaigns in a mass-scale manner, integrating fraud downstream, remote session control, and digital identity abuse into one operational chain. 

Using state-sponsored authentication systems in concert with banking platforms, attackers are able to increase their financial exposure and potential regulatory repercussions for victims as well as institutions. Mitigation requires the application of disciplined mobile security practices. 

As a precautionary measure, users are advised to download applications from Google Play only, keep Google Play Protect active, and avoid downloading APK files from unverified sources. Careful scrutiny of the application permissions remains important, particularly those that request Accessibility Service or screen recording privileges. 

A comprehensive awareness program at the organizational level should address the growing risk surface associated with mobile identity ecosystems, particularly in environments where state-issued digital credentials are integrated with financial services, demonstrating that mobile devices have become increasingly important vectors for identity-centric cybercriminals. 

As part of the recent surge of IPTV-themed Android malware campaigns over the past six to eight months, the Trojan has been designated "Massive" after a core internal module. ThreatFabric reports that operators have consistently employed streaming applications to spread infection, with the majority of activity occurring in Spain, Portugal, France, and Turkey, according to research by ThreatFabric. 

An IPTV platform has become increasingly popular as a method to normalize installation from unofficial sources due to its plausible user demand and distribution channel. From a technical perspective, Massiv is able to embed itself within the infected device through the incorporation of the necessary mechanisms. 

In addition to being aggressively aggressive with its request for permission to access Accessibility Service, the malware aggressively prompts victims to grant these permissions, a crucial requirement for sustained monitoring and interaction with system and application interfaces. 

Upon installation, customized overlay pages are deployed over selected applications for the collection of credentials. During one documented campaign, the malware impersonated the Portuguese government application gov.pt and solicited victims' phone numbers and PINs under the false pretense of legitimate authentication. Massive supports dual data acquisition methods. 

Using the Android MediaProjection API, it streams screen content directly to a remote operator to mirror user activity in real-time. A structured extraction technique known as UI-tree mode is employed by malware in applications that enforce screen capture protections. 

During this configuration, AccessibilityNodeInfo objects are recursively parsed to create a JSON-formatted representation of interface data, including visible text fields, element attributes, and interaction flags. By using this alternative method, attackers can reconstruct application states and inputs even when conventional screen recording is prevented. 

Research indicates that although Massiv has not yet been formally advertised as malware-as-a-service on underground forums, there are indications that the company is on its way to operational scaling. A review of the command-and-control communication framework reveals that API keys have been implemented, which implies that the architecture was designed to facilitate modular deployment or third-party operator access. 

As the campaign matures, additional capabilities may be integrated as a result of ongoing code refinements, which indicate active development. Having emerged, Massiv symbolizes the convergence of financial fraud, identity exploitation, and system abuse within a single operational framework, which represents a wider turning point in mobile threat evolution.

Mobile devices are increasingly being utilized as gateways to national identity systems and regulated financial ecosystems as attackers refine distribution tactics and invest in modular, scalable infrastructures. 

Rather than reacting to malware attacks, security teams and policymakers must focus on sustained mobile threat intelligence, tighter control over the integration of digital identities, and increased user awareness regarding permission abuse in order to provide a more comprehensive response to threats. 

The ability to maintain resilience in an environment where sideloaded convenience can lead to systemic risk will depend on the alignment of technical safeguards with regulatory oversight and informed user behavior against an adversary model whose capabilities are demonstrably changing in real time.
Read more »
malware
Android backdoor threat Android firmware attack Google Play malware removal Kaspersky security report Keenadu malware

Keenadu Android Malware Found in Device Firmware, Grants Hackers Full Control Over Infected Phones

 

A newly identified and highly advanced Android malware strain named Keenadu has been discovered embedded within firmware across multiple device brands, allowing attackers to infiltrate all installed applications and gain unrestricted access to compromised devices.

In a detailed report by Kaspersky, researchers revealed that Keenadu spreads through several channels. These include tampered over-the-air (OTA) firmware updates, existing backdoors, pre-installed system applications, altered apps from unofficial marketplaces, and even applications distributed via Google Play.

The malware exists in multiple versions, with the firmware-level variant being the most powerful. As of February 2026, Kaspersky confirmed at least 13,000 infected devices worldwide, primarily in Russia, Japan, Germany, Brazil, and the Netherlands.

Security experts likened Keenadu to Triada, a previously uncovered Android malware family identified in counterfeit, low-cost smartphones distributed through questionable supply chains.

Interestingly, the firmware-based version of Keenadu avoids activation if the device language or timezone corresponds to China, a detail that may hint at its origins. It also disables itself on devices lacking Google Play Store and Play Services.

While the operators are currently leveraging the malware for advertising fraud, researchers warn that its capabilities extend far beyond that. Keenadu can conduct extensive data theft and execute high-risk commands on infected devices.

“Keenadu is a fully functional backdoor that provides the attackers with unlimited control over the victim’s device,” Kaspersky told BleepingComputer.

“It can infect every app installed on the device, install any apps from APK files, and give them any available permissions.”

“As a result, all information on the device, including media, messages, banking credentials, location, etc. can be compromised. The malware even monitors search queries that the user inputs into the Chrome browser in incognito mode,” the researchers said.

A separate variant embedded in system applications offers fewer capabilities but still maintains elevated privileges, enabling it to silently install apps without notifying users. Investigators found one instance hidden within a facial recognition system app used for device unlocking and authentication.

Researchers also detected malicious apps hosted on Google Play, including smart home camera applications that accumulated approximately 300,000 downloads before being removed. When launched, these apps secretly opened hidden browser tabs that navigated to background websites — behavior similar to suspicious APK files previously identified by Dr.Web.

Keenadu has also been traced to firmware in Android tablets from various manufacturers. One affected device, the Alldocube iPlay 50 mini Pro (T811M), contained firmware dated August 18, 2023.

Following customer concerns in March 2024 that Alldocube’s OTA infrastructure had been compromised, the company acknowledged “a virus attack through OTA software” but did not disclose further technical specifics.

Kaspersky’s technical analysis explains that Keenadu manipulates the critical Android library libandroid_runtime.so, allowing it to function “within the context of every app on the device.” Because of this deep-level integration, the malware cannot be removed using conventional Android security tools.

Experts advise users to reinstall a verified clean firmware version specific to their device. Alternatively, installing firmware from reputable third-party sources may help, though it carries the risk of rendering the device unusable if compatibility issues arise. In high-risk cases, replacing the affected device with hardware purchased from trusted vendors and authorized distributors is considered the safest approach.

In an update dated February 18, Google confirmed to BleepingComputer that the malicious apps had been taken down from Google Play.

"Android users are automatically protected from known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users and disable apps known to exhibit Keenadu associated behavior, even when those apps come from sources outside of Play. As a best security practice, we recommend users ensure their device is Play Protect certified." - A Google spokesperson
Read more »
Subscribe to: Comments (Atom)