Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
Windows
AI BadPaw Cloud Data malware Windows

BadPaw Malware Targets Uranian Systems


A newly found malware campaign exploiting a Ukrainian email service to build trust has been found by cybersecurity experts. 

About the campaign 

The operation starts with an email sent from an address hosted on ukr[.]net, a famous Ukrainian provider earlier exploited by the Russia based hacking group APT28 in older campaigns.

BadPaw malware 

Experts at ClearSky have termed the malware “BadPaw.” The campaign starts when a receiver opens a link pretending to host a ZIP archive. Instead of starting a direct download, the target is redirected to a domain that installs a tracking pixel, letting the threat actor to verify engagement. Another redirect sends the ZIP file. 

The archive pretends to consist of a standard HTML file, but ClearSky experts revealed that it is actually an HTA app in hiding. When deployed, the file shows a fake document related to a Ukrainian government border crossing request, where malicious processes are launched in the background. 

Attack tactic 

Before starting, the malware verifies a Windows Registry key to set the system's installation date. If the OS is older than ten days, deployment stops, an attack tactic that escapes sandbox traps used by threat analysts. 

If all the conditions are fulfilled, the malware looks for the original ZIP file and retrieves extra components. The malware builds its persistence via a scheduled task that runs a VBS script which deploys steganography to steal hidden executable code from an image file. 

Only nine antivirus engines could spot the payload at the time of study. 

Multi-Layered Attack

After activation within a particular parameter, BadPaw links to a C2 server. 

The following process happens:

Getting a numeric result from the /getcalendar endpoint. 

Gaining access to a landing page called "Telemetry UP!” through /eventmanager. 

Downloading the ASCII-encoded payload information installed within HTML. 

In the end, the decrypted data launches a backdoor called "MeowMeowProgram[.]exe," which offers file system control and remote shell access. 

Four protective layers are included in the MeowMeow backdoor: runtime parameter constraints, obfuscation of the.NET Reactor, sandbox detection, and monitoring for forensic tools like Wireshark, Procmon, Ollydbg, and Fiddler.

Incorrect execution results in a benign graphical user interface with a picture of a cat. The "MeowMeow" button only displays a harmless message when it is clicked.

Read more »
malware
ATM jackpotting Bank Security FBI Financial crime malware

ATM Jackpotting Malware Triggers Record Global ATM Heists in 2025

 

ATM jackpotting attacks surged dramatically in 2025, with cybercriminals using specialized malware to force cash machines to spit out money on command, often without touching any customer account. This new wave of attacks exposed serious weaknesses in how banks protect the physical and digital components of their ATM fleets. 

According to FBI figures, there have been about 1,900 reported ATM jackpotting cases in the United States since 2020, and more than 700 of those incidents occurred in 2025 alone, causing over 20 million dollars in losses. The attacks rely heavily on malware families such as Ploutus, which has been around for over a decade but continues to evolve. Instead of targeting customer accounts, Ploutus directly compromises the ATM’s operating system, allowing crooks to drain cassettes in minutes before anyone notices something is wrong. 

To execute a jackpotting operation, attackers first need physical access to the machine’s internals. The FBI notes that gangs often use widely available “generic” keys to open the service panel, then remove or connect to the hard drive or USB ports. Once inside, they either load malware onto the existing drive or swap in a pre‑infected disk that boots a compromised operating system capable of issuing unauthorized dispense commands. In many cases, a mule returns later, enters a secret code or connects a device, and collects the cash as the ATM empties itself.

What makes these operations so dangerous is that the malware can bypass normal bank authorization checks and trigger cash withdrawals without a card, PIN, or even a linked account.Because the machine behaves as if it is performing legitimate transactions, banks often only discover the theft after reconciling cash levels and seeing large, unexplained shortages. The U.S. Justice Department has already charged dozens of suspects in jackpotting schemes, including crews tied to transnational criminal groups accused of stealing millions of dollars from victim banks and credit unions. 

In response, the FBI and regulators are urging financial institutions and ATM operators to harden both physical and software defenses. Recommended steps include replacing standard locks, reinforcing ATM cabinets, keeping systems fully patched, and closely monitoring machines for signs of tampering or unexpected restarts. As 2026, ATM jackpotting has become a priority threat for the banking sector, underlining the need for continuous security upgrades and better coordination between banks, law enforcement, and cybersecurity teams.
Read more »
VNC Remote Access
Accessibility Service Exploit AI DrivenMalware Android Malware Android Security Threats Cyber Threats Gemini AI Abuse malware Mobile Banking Phishing VNC Remote Access

Google Responds After Reports of Android Malware Leveraging Gemini AI



There has been a steady integration of artificial intelligence into everyday digital services that has primarily been portrayed as a story of productivity and convenience. However, the same systems that were originally designed to assist users in interpreting complex tasks are now beginning to appear in much less benign circumstances. 


According to security researchers, a new Android malware strain appears to be woven directly into Google's Gemini AI chatbot, which seems to have a generative AI component. One of the most noteworthy aspects of this discovery is that it marks an unusual development in the evolution of mobile threat evolution, as a tool that was intended to assist users with problems has been repurposed to initiate malicious software through the user interface of a victim's device.

In real time, the malware analyzes on-screen activity and generates contextual instructions based on it, demonstrating that modern AI systems can serve as tactical enablers in cyber intrusions. As a result of the adaptive nature of malicious applications, traditional automated scripts rarely achieve such levels of adaptability. 

It has been concluded from further technical analysis that the malware, known as PromptSpy by ESET, combines a variety of established surveillance and control mechanisms with an innovative layer of artificial intelligence-assisted persistence. 

When the program is installed on an affected device, a built-in virtual network computing module allows operators to view and control the compromised device remotely. While abusing Android's accessibility framework, this application obstructs users from attempting to remove the application, effectively interfering with user actions intended to terminate or uninstall it. 

Additionally, malicious code can harvest lock-screen information, collect detailed device identifiers, take screenshots, and record extended screen activity as video while maintaining encrypted communications with its command-and-control system. 


According to investigators, the campaign is primarily motivated by financial interests and has targeted heavily on Argentinian users so far, although linguistic artifacts within the code base indicate that the development most likely took place in a Chinese-speaking environment. However, PromptSpy is characterized by its unique implementation of Gemini as an operational aid that makes it uniquely unique. 

A dynamic interpretation of the device interface is utilized by the malware, instead of relying on rigid automation scripts that simulate taps at predetermined coordinates, an approach that frequently fails across different versions or interface layouts of Android smartphones. It transmits a textual prompt along with an XML representation of the current screen layout to Gemini, thereby providing a structured map of the visible buttons, text labels, and interface elements to Gemini. 

Once the chatbot has returned structured JSON instructions which indicate where interaction should take place, PromptSpy executes those instructions and repeats the process until the malicious application has successfully been anchored in the recent-apps list. This reduces the likelihood that the process may be dismissed by routine user gestures or management of the system. 


ESET researchers noted that the malware was first observed in February 2026 and appears to have evolved from a previous strain known as VNCSpy. The operation is believed to selectively target regional victims while maintaining development infrastructure elsewhere by uploading samples from Hong Kong, before later variants surface in Argentina. 

It is not distributed via official platforms such as Google Play; instead, victims are directed to a standalone website impersonating Chase Bank's branding by using identifiers such as "MorganArg." In addition, the final malware payload appears to be delivered via a related phishing application, thought to be originated by the same threat actor. 

Even though the malicious software is not listed on the official Google Play store, analysts note that Google Play Protect can detect and block known versions of the threat after they are identified. This interaction loop involves the AI model interpreting the interface data and returning structured JSON responses that are utilized by the malware for operational guidance. 

The responses specify both the actions that should be performed-such as simulated taps-as well as the exact interface element on which they should occur. By following these instructions, the malicious application is able to interact with system interfaces without direct user input, by utilizing Android's accessibility framework. 

Repeating the process iteratively is necessary to secure the application's position within the recent apps list of the device, a state that greatly complicates efforts to initiate task management or routine gestures to terminate the process. 

Gemini assumes the responsibility of interpreting the interface of the malware, thereby avoiding the fragility associated with fixed automation scripts. This allows the persistence routine to operate reliably across a variety of screen sizes, interface configurations, and Android builds. Once persistence is achieved, the operation's main objective becomes evident: establishing sustained remote access to the compromised device. 

By deploying a virtual network computing component integrated with PromptSpy, attackers have access to a remote monitor and control of the victim's screen in real time via the VNC protocol, which connects to a hard-coded command-and-control endpoint and is controlled remotely by the attacker infrastructure. 

Using this channel, the malware is able to retrieve operational information, such as the API key necessary to access Gemini, request screenshots on demand, or initiate continuous screen recording sessions. As part of this surveillance capability, we can also intercept highly sensitive information, such as lock-screen credentials, such as passwords and PINs, and record pattern-based unlock gestures. 

The malware utilizes Android accessibility services to place invisible overlays across portions of the interface, which effectively prevents users from uninstalling or disabling the application. As a result of distribution analysis, it appears the campaign uses a multi-stage delivery infrastructure rather than an official application marketplace for delivery. 


Despite never appearing on Google Play, the malware has been distributed through a dedicated website that distributes a preliminary dropper application instead. As soon as the dropper is installed, a secondary page appears hosted on another domain which mimics JPMorgan Chase's visual identity and identifies itself as MorganArg. Morgan Argentina appears to be the reference to the dropper. 

In the interface, victims are instructed to provide permission for installing software from unknown sources. Thereafter, the dropper retrieves a configuration file from its server and quietly downloads it. According to the report, the file contains instructions and a download link for a second Android package delivered to the victim as if it were a routine application update based on Spanish-language prompts. 

Researchers later discovered that the configuration server was no longer accessible, which left the specific distribution path of the payload unresolved. Clues in the malware’s code base provide additional insight into the campaign’s origin and targeting strategy. Linguistic artifacts, including debug strings written in simplified Chinese, suggest that Chinese-speaking operators maintained the development environment. 

Furthermore, the cybersecurity infrastructure and phishing material used in the operation indicate an interest in Argentina, which further supports the assessment that the activity is not espionage-related but rather financially motivated. It is also noted that PromptSpy appears to be a result of the evolution of a previously discovered Android malware strain known as VNCSpy, the samples of which were first submitted from Hong Kong to VirusTotal only weeks before the new variant was identified.

In addition to highlighting an immediate shift in the technical design of mobile threats, the discovery also indicates a broader shift. It is possible for attackers to automate interactions that would otherwise require extensive manual scripting and constant maintenance as operating systems change by outsourcing interface interpretation to a generative artificial intelligence system. 

Using this approach, malware can respond dynamically to changes in interfaces, device models, and regional system configurations by changing its behavior accordingly. Additionally, PromptSpy's persistence technique complicates remediation, since invisible overlays can obstruct victims' ability to access the uninstall controls, thereby further complicating remediation. 

In many cases, the only reliable way to remove the application is to restart the computer in Safe Mode, which temporarily disables third-party applications, allowing them to be removed without interruption. As security researchers have noted, PromptSpy's technique indicates that Android malware development is heading in a potentially troubling direction. 

By feeding an image of the device interface to artificial intelligence and receiving precise interaction instructions in return, malicious software gains an unprecedented degree of adaptability and efficiency not seen in traditional mobile threats. 

It is likely that as generative models become more deeply ingrained into consumer platforms, the same interpretive capabilities designed to assist users may be increasingly repurposed by threat actors who wish to automate complicated device interactions and maintain long-term control over compromised systems. 

Security practitioners and everyday users alike should be reminded that defensive practices must evolve to meet the changing technological landscape. As a general rule, analysts recommend installing applications only from trusted marketplaces, carefully reviewing accessibility permission requests, and avoiding downloads that are initiated by unsolicited websites or update prompts. 

The use of Android security updates and Google Play Protect can also reduce exposure to known threats as long as the protections remain active. Research indicates that, as tools such as Gemini are increasingly being used in malicious workflows, it signals an inflection point in mobile security, which may lead to a shift in both the offensive and defensive sides of the threat landscape as artificial intelligence becomes more prevalent. 

It is likely that in order to combat the next phase of adaptive Android malware, the industry will have to strengthen detection models, improve behavioural monitoring, and tighten controls on high-risk permissions.
Read more »
ZIP File
DLL Domain malware Malware Trojan Website ZIP File

Fake FileZilla Website Distributes Malware-Infected Download

 



A fraudulent website is distributing a modified portable edition of FileZilla version 3.69.5 that contains embedded malware. The archive appears legitimate and includes the authentic open-source FTP client, but attackers inserted one additional file, a rogue dynamic-link library named version.dll, before repackaging and circulating it online.

When users download this altered ZIP file, extract it, and launch filezilla.exe, Windows follows its standard DLL loading order. The operating system checks the application’s own directory before referencing system libraries stored in C:\Windows\System32. Because the malicious version.dll is placed inside the FileZilla folder, Windows loads it first. From that moment, the malicious code executes within the legitimate FileZilla process.

This method relies on a long-established Windows behavior known as DLL search order hijacking. It does not involve a vulnerability in FileZilla itself. Instead, the compromise depends on users downloading the installer from an unofficial domain such as filezilla-project[.]live, which imitates the legitimate project site. The attack spreads through deception, including lookalike domains and search engine manipulation, rather than automated self-propagation.


Archive Examination Reveals a Single Suspicious File

The compromised archive contains 918 files. Among them, 917 entries show a last-modified date of 2025-11-12, consistent with the authentic portable release of FileZilla 3.69.5. One file differs: version.dll carries a timestamp of 2026-02-03, nearly three months newer than the rest.

A genuine portable distribution of FileZilla does not include version.dll. Legitimate libraries in the package typically include files such as libfilezilla-50.dll and libfzclient-private-3-69-5.dll. The Windows Version API library normally resides inside the operating system directory and has no reason to be bundled with FileZilla. Its inclusion forms the basis of the compromise.


The SHA-256 hash of the trojanized archive is:

665cca285680df321b63ad5106b167db9169afe30c17d349d80682837edcc755

The SHA-256 hash of the malicious version.dll is:

e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4


Execution Behavior Observed on a Live System

Monitoring the application with Process Monitor confirms the sideloading sequence. When filezilla.exe starts, Windows attempts to load required libraries. For files such as IPHLPAPI.DLL and POWRPROF.dll, the application directory does not contain a copy, producing “NAME NOT FOUND.” Windows then retrieves legitimate versions from the system directory.

For version.dll, however, the malicious copy is present locally. Windows maps it into memory without consulting System32. The attacker’s code now operates inside the trusted application process.

Approximately 17 milliseconds after loading, the malicious DLL attempts to locate version_original.dll in the same directory. The lookup fails. This pattern suggests DLL proxying, where attackers forward legitimate function calls to a renamed original library to preserve application stability. In this case, the renamed library was not included, which may explain abrupt application termination during testing.

FileZilla invokes LoadLibrary using only the file name rather than a full system path. While common in Windows software design, this practice enables directory-based DLL substitution.


Anti-Analysis Checks and Network Communication

Before activating its main payload, the DLL performs environmental checks. These include BIOS version inspection, system manufacturer queries, probing for VirtualBox registry keys, disk enumeration, memory allocation using write-watch techniques, and delayed execution loops. These checks aim to detect virtual machines or sandbox environments.

If the system appears genuine, the malware initiates encrypted domain resolution using DNS-over-HTTPS. It sends the following request to Cloudflare’s public resolver:

https://1.1.1.1/dns-query?name=welcome.supp0v3[.]com&type=A

Using HTTPS for DNS queries prevents traditional monitoring systems that rely on port 53 inspection from detecting the request.

After resolving the domain, the malware contacts:

https://welcome.supp0v3.com/d/callback?utm_tag=tbs2&utm_source=dll

Memory inspection revealed the embedded configuration:

{ "tag":"tbs", "referrer":"dll", "callback":"https://welcome.supp0v3.com/d/callback?utm_tag=tbs2&utm_source=dll" }

The UTM-style parameters suggest structured tracking of distribution channels.

The malware also attempts connections to 95.216.51[.]236 over TCP port 31415, a non-standard port. Ten connection attempts were recorded across two sessions, indicating retry logic designed to maintain communication.


Additional Capabilities Identified

Automated behavioral analysis indicated potential FTP credential harvesting. Because FileZilla stores connection details locally, unauthorized access could expose remote servers and hosting accounts. Other flagged behaviors included:

• Creation of suspended processes with memory injection

• Runtime .NET compilation using csc.exe

• Registry modifications consistent with persistence mechanisms

• Calls to Windows encryption-related APIs

These behaviors indicate functionality beyond simple credential theft, potentially including persistence and process manipulation.


Defensive Guidance

Users should download FileZilla exclusively from the official domain filezilla-project.org and verify the published hash values before execution. Portable installations should not contain version.dll. Its presence signals compromise.

Monitor outbound HTTPS traffic to public DNS resolvers such as 1.1.1.1 or 8.8.8.8 from non-browser applications. Review ZIP archive timestamps for inconsistencies before running software. Block the identified domains and IP address at the network perimeter if detected.

Malwarebytes reports detection and blocking of known variants of this threat.


Indicators of Compromise (IOCs)

• SHA-256 Hashes

665cca285680df321b63ad5106b167db9169afe30c17d349d80682837edcc755    FileZilla_3.69.5_win64.zip

e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4 — version.dll

• Domains

filezilla-project[.]live

welcome.supp0v3[.]com

• Network Indicator

95.216.51[.]236:31415


Read more »
Screen Overlay Attack
Accessibility Service Abuse Digital Identity Theft IPTV Malware Campaign malware Mobile Banking Trojan Mobile Cybersecurity Threats Screen Overlay Attack

New Massiv Malware Targets Android Banking Users Through Fake IPTV App


 

As a result of the convenience of mobile streaming, user behavior has quietly been reshaped, normalizing the practice of downloading applications outside of official app marketplaces that have been guarded. In this gray area of digital consumption, a recently discovered Android banking Trojan known as Massiv has begun to circulate, resulting in an alert to security researchers. 

A malware program disguised as an IPTV application and distributed by convincingly crafted third-party websites capitalizes on a routine that many users no longer question as a threat. Instead of providing a shortcut to premium or region-locked entertainment, cybercriminals are now using this shortcut as a conduit for financial intrusion, illustrating how cybercriminals are evolving in concert with changing consumer trends. 

A subsequent technical analysis conducted by the ThreatFabric mobile threat intelligence team revealed that Massiv incorporates a multilayered attack framework designed to bypass contemporary mobile security safeguards. In addition to intercepting user input, the Trojan uses keylogging capabilities to capture authenticating credentials in real time through screen overlay techniques. 

In Portugal, it primarily targets two critical applications, a government service platform and an accompanying digital authentication infrastructure known as Chave Móvel Digital. The Massive product embeds itself within the Accessibility Service and extracts structured interface data, including visible text strings, user interface element identifiers, screen coordinates, and interaction metadata, enabling operators to reconstruct user sessions without relying solely upon traditional screen capture techniques.

According to researchers, this secondary data extraction method is particularly useful against banking and communication applications with screen recording restrictions, effectively neutralizing a common defensive control. 

By collecting credentials and identity information, threat actors can go beyond immediate account compromise with their harvested credentials and identity data. As a result of investigations, fraudulent financial accounts were opened by investigators on behalf of victims across institutions where they had never previously engaged. 

Once these newly established accounts are fully controlled by the attackers, they are integrated into broader financial abuse schemes, facilitating illicit fund transfers, loan applications and structured cash outs.

It is important to note that the effect of the theft extends beyond temporary account access; victims may be exposed to long-term financial responsibilities linked to accounts and debts they did not authorize or recognize, thus illustrating a shift from opportunistic theft to systematic exploitation of people's identities. 

Throughout Massiv's architecture, surveillance, deception, and remote manipulation techniques are combined to achieve sustained control over compromised devices through deliberate convergence. By deploying screen overlays mimicking legitimate login interfaces, the malware attempts to harvest credentials unknowingly, prompting users to provide their authentication information into attacker-controlled forms.

The embedded keylogging functionality allows for the collection of credentials and other sensitive data in real time by capturing typed inputs. Beyond these conventional banking Trojan features, Massiv provides two advanced operating modes that substantially expand its capabilities, including live screen streaming using Android’s MediaProjection API and detailed user interface mapping using Accessibility Services. 

Using the latter mechanism, operators are able to extract structured UI-tree information, such as visible text, interface identifiers, and precise screen coordinates. By using this intelligence, attackers can simulate user interactions remotely, executing clicks, modifying fields, and navigating applications as if they held the device physically. 

According to researchers, this approach effectively circumvents screen-capture restrictions commonly employed by banking and secure messaging applications, thereby undermining a control widely relied upon to prevent session hijacking and visual data leakage. Distributing tactics demonstrate an adaptive approach to user behavior in addition. 

Researchers have observed a sustained increase in malware campaigns packaged within alleged IPTV streaming applications in recent months. Threat actors take advantage of the established pattern of off-store installation, as many of these streaming platforms operate in legal grey areas and can be obtained via sideloaded APK files rather than through official marketplaces. 

It is possible that the IPTV application has been developed entirely, serving primarily as a dropper for Massiv deployment. It is also possible that the application loads an authentic IPTV website within a WebView environment to maintain the appearance of legitimacy, while executing the malicious payload in the background. 

As a result of the geographical focus and scalability of the operation, activities have been largely concentrated in Spain, Portugal, France and Turkey. In the broader context, the implication is that contemporary banking malware has evolved far beyond simple credential interception campaigns, pursuing comprehensive identity takeover campaigns in a mass-scale manner, integrating fraud downstream, remote session control, and digital identity abuse into one operational chain. 

Using state-sponsored authentication systems in concert with banking platforms, attackers are able to increase their financial exposure and potential regulatory repercussions for victims as well as institutions. Mitigation requires the application of disciplined mobile security practices. 

As a precautionary measure, users are advised to download applications from Google Play only, keep Google Play Protect active, and avoid downloading APK files from unverified sources. Careful scrutiny of the application permissions remains important, particularly those that request Accessibility Service or screen recording privileges. 

A comprehensive awareness program at the organizational level should address the growing risk surface associated with mobile identity ecosystems, particularly in environments where state-issued digital credentials are integrated with financial services, demonstrating that mobile devices have become increasingly important vectors for identity-centric cybercriminals. 

As part of the recent surge of IPTV-themed Android malware campaigns over the past six to eight months, the Trojan has been designated "Massive" after a core internal module. ThreatFabric reports that operators have consistently employed streaming applications to spread infection, with the majority of activity occurring in Spain, Portugal, France, and Turkey, according to research by ThreatFabric. 

An IPTV platform has become increasingly popular as a method to normalize installation from unofficial sources due to its plausible user demand and distribution channel. From a technical perspective, Massiv is able to embed itself within the infected device through the incorporation of the necessary mechanisms. 

In addition to being aggressively aggressive with its request for permission to access Accessibility Service, the malware aggressively prompts victims to grant these permissions, a crucial requirement for sustained monitoring and interaction with system and application interfaces. 

Upon installation, customized overlay pages are deployed over selected applications for the collection of credentials. During one documented campaign, the malware impersonated the Portuguese government application gov.pt and solicited victims' phone numbers and PINs under the false pretense of legitimate authentication. Massive supports dual data acquisition methods. 

Using the Android MediaProjection API, it streams screen content directly to a remote operator to mirror user activity in real-time. A structured extraction technique known as UI-tree mode is employed by malware in applications that enforce screen capture protections. 

During this configuration, AccessibilityNodeInfo objects are recursively parsed to create a JSON-formatted representation of interface data, including visible text fields, element attributes, and interaction flags. By using this alternative method, attackers can reconstruct application states and inputs even when conventional screen recording is prevented. 

Research indicates that although Massiv has not yet been formally advertised as malware-as-a-service on underground forums, there are indications that the company is on its way to operational scaling. A review of the command-and-control communication framework reveals that API keys have been implemented, which implies that the architecture was designed to facilitate modular deployment or third-party operator access. 

As the campaign matures, additional capabilities may be integrated as a result of ongoing code refinements, which indicate active development. Having emerged, Massiv symbolizes the convergence of financial fraud, identity exploitation, and system abuse within a single operational framework, which represents a wider turning point in mobile threat evolution.

Mobile devices are increasingly being utilized as gateways to national identity systems and regulated financial ecosystems as attackers refine distribution tactics and invest in modular, scalable infrastructures. 

Rather than reacting to malware attacks, security teams and policymakers must focus on sustained mobile threat intelligence, tighter control over the integration of digital identities, and increased user awareness regarding permission abuse in order to provide a more comprehensive response to threats. 

The ability to maintain resilience in an environment where sideloaded convenience can lead to systemic risk will depend on the alignment of technical safeguards with regulatory oversight and informed user behavior against an adversary model whose capabilities are demonstrably changing in real time.
Read more »
malware
Android backdoor threat Android firmware attack Google Play malware removal Kaspersky security report Keenadu malware

Keenadu Android Malware Found in Device Firmware, Grants Hackers Full Control Over Infected Phones

 

A newly identified and highly advanced Android malware strain named Keenadu has been discovered embedded within firmware across multiple device brands, allowing attackers to infiltrate all installed applications and gain unrestricted access to compromised devices.

In a detailed report by Kaspersky, researchers revealed that Keenadu spreads through several channels. These include tampered over-the-air (OTA) firmware updates, existing backdoors, pre-installed system applications, altered apps from unofficial marketplaces, and even applications distributed via Google Play.

The malware exists in multiple versions, with the firmware-level variant being the most powerful. As of February 2026, Kaspersky confirmed at least 13,000 infected devices worldwide, primarily in Russia, Japan, Germany, Brazil, and the Netherlands.

Security experts likened Keenadu to Triada, a previously uncovered Android malware family identified in counterfeit, low-cost smartphones distributed through questionable supply chains.

Interestingly, the firmware-based version of Keenadu avoids activation if the device language or timezone corresponds to China, a detail that may hint at its origins. It also disables itself on devices lacking Google Play Store and Play Services.

While the operators are currently leveraging the malware for advertising fraud, researchers warn that its capabilities extend far beyond that. Keenadu can conduct extensive data theft and execute high-risk commands on infected devices.

“Keenadu is a fully functional backdoor that provides the attackers with unlimited control over the victim’s device,” Kaspersky told BleepingComputer.

“It can infect every app installed on the device, install any apps from APK files, and give them any available permissions.”

“As a result, all information on the device, including media, messages, banking credentials, location, etc. can be compromised. The malware even monitors search queries that the user inputs into the Chrome browser in incognito mode,” the researchers said.

A separate variant embedded in system applications offers fewer capabilities but still maintains elevated privileges, enabling it to silently install apps without notifying users. Investigators found one instance hidden within a facial recognition system app used for device unlocking and authentication.

Researchers also detected malicious apps hosted on Google Play, including smart home camera applications that accumulated approximately 300,000 downloads before being removed. When launched, these apps secretly opened hidden browser tabs that navigated to background websites — behavior similar to suspicious APK files previously identified by Dr.Web.

Keenadu has also been traced to firmware in Android tablets from various manufacturers. One affected device, the Alldocube iPlay 50 mini Pro (T811M), contained firmware dated August 18, 2023.

Following customer concerns in March 2024 that Alldocube’s OTA infrastructure had been compromised, the company acknowledged “a virus attack through OTA software” but did not disclose further technical specifics.

Kaspersky’s technical analysis explains that Keenadu manipulates the critical Android library libandroid_runtime.so, allowing it to function “within the context of every app on the device.” Because of this deep-level integration, the malware cannot be removed using conventional Android security tools.

Experts advise users to reinstall a verified clean firmware version specific to their device. Alternatively, installing firmware from reputable third-party sources may help, though it carries the risk of rendering the device unusable if compatibility issues arise. In high-risk cases, replacing the affected device with hardware purchased from trusted vendors and authorized distributors is considered the safest approach.

In an update dated February 18, Google confirmed to BleepingComputer that the malicious apps had been taken down from Google Play.

"Android users are automatically protected from known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users and disable apps known to exhibit Keenadu associated behavior, even when those apps come from sources outside of Play. As a best security practice, we recommend users ensure their device is Play Protect certified." - A Google spokesperson
Read more »
UNC1069
malware Mandiant North Korea Hackers phishing UNC1069

North Korean Hackers Deploy New macOS Malware in Crypto Theft Campaign

 

North Korean hackers, tracked as UNC1069 by Google's Mandiant, have deployed sophisticated new macOS malware in targeted cryptocurrency theft campaigns. These attacks leverage AI-generated deepfake videos and social engineering via Telegram to trick victims into executing malicious commands. The operation, uncovered during an investigation into a fintech company breach, highlights the evolving threat to macOS users in the crypto sector.

The malicious campaign begins with hackers compromising a legitimate Telegram account from a crypto executive to build rapport with targets. They direct victims to a spoofed Calendly link leading to a fake Zoom page hosting a deepfake CEO video call. Posing as audio troubleshooting, attackers guide users to run ClickFix-style commands from a webpage, tailored for both macOS and Windows, initiating payload deployment.

Mandiant identified seven distinct macOS malware families in the chain, starting with AppleScript and a malicious Mach-O binary. Key tools include WAVESHAPER, a C++ backdoor for system reconnaissance and C2 communication; HYPERCALL and HIDDENCALL, Golang loaders and backdoors enabling remote access; and SILENCELIFT, a minimal backdoor disrupting Telegram on rooted systems. Newer implants like DEEPBREATH, a Swift data miner bypassing TCC protections to steal keychain, browser, and Telegram data, underscore the attack's breadth.

Additional malware such as SUGARLOADER, a persistent C++ downloader, and CHROMEPUSH, a Chromium extension stealer harvesting credentials and keystrokes, maximize data exfiltration. This unusually high volume of payloads on a single host aims at crypto theft and future social engineering using stolen identities. Detection remains low, with only SUGARLOADER and WAVESHAPER showing VirusTotal flags, emphasizing stealth.

UNC1069, active since 2018, shifted from Web3 targets in 2023 to financial services and crypto infrastructure last year. Similar tactics were seen in 2025 BlueNoroff attacks, but this campaign introduces novel tools amid North Korea's growing macOS focus. Crypto firms must prioritize endpoint detection, deepfake awareness training, and TCC hardening to counter these persistent threats.
Read more »
ZeroDayRAT Malware
Android Security Threats Commercial Spyware Platforms iOS Surveillance Risks malware Mobile Banking Trojan Mobile Spyware NFC Relay Attacks Remote Access Trojan ZeroDayRAT Malware

ZeroDayRAT Marks Significant Shift in Cross Platform Mobile Surveillance


 

It is widely recognized that mobile devices serve as modern life vaults, containing conversations, credentials, financial records, and fragments of professional strategy behind polished glass screens. But this sense of contained security is increasingly being tested.

A new cross-platform remote access trojan designed to operate across both Android and iOS environments has been discovered by security researchers. A sophisticated zero-day exploit alone is not sufficient to gain initial access to the threat, as it is able to exploit carefully crafted social engineering lures and sideloaded applications. 

Once embedded, it provides continuous, real-time control over compromised devices by capturing screen images, logging keystrokes, and extracting sensitive information and credentials in a systematic manner. With its modular design and deliberate stealth mechanisms, it blends seamlessly into legitimate system processes, complicating detection efforts for conventional mobile security defenses and emphasizing the increasing threat surface of everyday smartphones and tablets. 

Additionally, a thorough analysis indicates that ZeroDayRAT is not a standalone sample of malware, but rather a commercially packaged surveillance platform intended for wide distribution. A technical report published by iVerify on February 10, 2026 and a follow-up article by The Hacker News on February 16, 2026 indicate that the spyware can be deployed using Telegram-based channels as a ready-to-deploy toolkit. 

The system includes a graphical application builder, a web control panel for managing devices, a structured sales and support infrastructure, and regular updates from developers. With the operation model, advanced mobile compromise can be made accessible to individuals without technical expertise, by decentralizing command infrastructure by allowing each purchaser to operate an independent control panel rather than relying on a shared command-and-control backbone. 

Furthermore, ZeroDayRAT does not rely upon exploiting undetected zero-day vulnerabilities within mobile operating systems in order to function. Rather, its operators employ layered social engineering techniques to obtain initial access.

Early campaigns have exhibited a variety of distribution vectors, including malicious APK download links sent via smishing campaigns, phishing emails that direct recipients to fraudulent portals, cloned app storefronts, and weaponized links distributed through messaging platforms such as WhatsApp and Telegram.

Infection chains typically involve installing malicious configuration profiles or enterprise-signed payloads on iOS devices and Android devices; they are persuaded to sideload malicious applications. When spyware is deployed, it establishes persistent remote access, enabling real-time monitoring, credential harvesting, file extraction, and manipulation of devices. 

As of today, this platform is compatible with Android versions 5 through 16 as well as iOS versions 26 and older, as well as newly released hardware. The cross-version operability of commercial spyware underscores the shift towards scalability and adaptability as opposed to exploit dependency in the commercial spyware sector. 

Using spyware-as-a-service models to eliminate centralized infrastructure and reduce the technical requirements for operation, ZeroDayRAT illustrates how spyware-as-a-service models are transforming the threat ecosystem in 2026. In recent years, the mobile device has become more and more a primary target for financial fraud, coercive surveillance, and data exfiltration, driven largely by the systematic weaponization of human trust rather than novel vulnerabilities. 

Research conducted by iVerify demonstrates that ZeroDayRAT's surveillance architecture extends far beyond conventional data harvesting and functions as a comprehensive system for monitoring and exploiting financial assets in real-time. By providing a structured overview of compromised devices, the operator dashboard identifies the device model, operating system build, battery metrics, SIM identifiers, geographical location, and lock status of compromised devices.

In addition, attackers are able to view detailed activity logs, such as application usage histories, SMS exchanges, and chronological activity timelines, which allows them to effectively reconstruct a victim's digital behavior profile based on this central interface. Further dashboard modules display incoming notification streams, enumerate registered accounts on the device (displaying associated email addresses or user IDs), and facilitate credential-stuffing and brute-force operations. 

In the event that location permissions have been granted, the spyware can plot live device positioning through a rendered interface similar to Google Maps, complete with historical tracking of movements. As opposed to passive observation, ZeroDayRAT provides active intrusion features as well, enabling operators to remotely activate front and rear cameras, listen to live audio recordings, and initiate screen recordings to capture sensitive activity on a computer screen. 

As soon as SMS permissions are obtained, the malware may intercept incoming one-time passwords, effectively negating two-factor authentication measures, and also dispatch outbound messages directly from the compromised device. In addition to a dedicated keylogging module, the toolkit incorporates a dedicated feature to record gesture patterns, screen unlock sequences, and typed input. 

An additional component of financial targeting includes scanning for wallet applications including MetaMask, Trust Wallet, Binance, and Coinbase, among others, to detect cryptocurrency theft. The attacker attempts clipboard manipulation by substituting copied wallet addresses with attacker-controlled ones upon detection and catalogs wallet identifiers and balances. 

To harvest authentication credentials, parallel modules employ overlay attacks against banking applications, UPI platforms such as Google Pay and PhonePe, as well as payment services such as Apple Pay and PayPal in order to target traditional financial ecosystems. Despite the lack of exhaustive description of ZeroDayRAT's exact initial infection vectors, iVerify describes ZeroDayRAT as a comprehensive mobile compromise toolkit designed to allow for operational flexibility. 

Individual privacy violations are not the only implication; infected employee devices may provide access into enterprise environments, exposing corporate credentials, communications, and financial systems. Compromised security may result in sustained surveillance and direct financial loss for individual users. 

In addition to strict adherence to official application distribution channels, researchers recommend limiting installation of applications to reputable publishers. These include Google Play for Android and Apple App Store for iOS. 

As a precaution against high-impact mobile spyware campaigns, high-risk users are encouraged to enable hardened security configurations, such as Lockdown Mode on iOS and Advanced Protection features on Android. This exposure of ZeroDayRAT reinforces a broader security imperative: mobile risk cannot be considered secondary to desktop or network security.

As surveillance-grade technology becomes more commercialized and operationally simplified, organizations will have to revisit their trust assumptions regarding both employee-owned and corporate-issued devices. It is important to consider continuous monitoring of mobile threats, enforcing strict mobile device management policies, enforcing conditional access controls, and performing routine permission audits as baseline safeguards rather than advanced ones. 

It remains important to minimize sideloading practices, analyze configuration profile requests carefully, restrict accessibility privileges, and maintain rapid operating system updates as part of a comprehensive countermeasure strategy. 

A key finding of the trajectory of mobile spyware development is that technical defenses must be paired with user awareness and institutional resilience. Currently, smartphones serve as consolidated authentication, financial, and communication hubs; their strategic value requires layered security disciplines commensurate with their strategic importance.
Read more »
Runtime Obfuscation
Advanced Persistent Threats Command And Control Cyber Threat Intelligence In Memory Decryption malware Remcos RAT Remote Access Trojan Runtime Obfuscation

Enhanced Surveillance Functions Signal a Strategic Shift in Remcos RAT Activity


 

It is difficult to discern the quiet recalibration of remote access malware that occurs without spectacle, but its consequences often appear in plain sight. The newly identified variant of Remcos RAT illustrates this progression clearly and unnervingly. 

In its current architecture, the updated strain focuses on immediacy and persistence instead of serving as passive collectors of stolen information. With its newly designed operational design promoting direct, continuous communication with attacker-controlled infrastructure, it allows for the observation of compromised Windows systems in real time rather than after the incident has occurred. This shift does more than simply represent a routine upgrade.

By moving away from the traditional method of locally caching harvested data, the malware reduces the amount of digital residue typically left behind by investigators. By transmitting information in near real time, compromise and exploitation can be minimized. 

The latest build enhances this capability by enabling live webcam streaming and instantaneous keystroke transmission, creating active surveillance endpoints on infected machines. Therefore, the variant reinforces a broader trend within the threat landscape which places more importance on speed, stealth, and sustained visibility over simple data exfiltration.

According to Point Wild's Lat61 Threat Intelligence Team, the latest Remcos iteration has been designed with a deliberate focus on runtime concealment and forensic minimization in mind. In contrast to the traditional method of embedding webcam footage within the core payload, a streaming module is retrieved and executed only on operator instruction, thereby minimizing its exposure during routine scanning.

The handling of command-and-control configuration data, which is decrypted solely in memory, as opposed to writing it to disk, is also significant. In combination with dynamic API resolution, this approach further complicates static analysis. As opposed to hard-coding Windows API references, malware resolves and decrypts them during execution, thereby frustrating signature-based detection and impeding reverse engineering. 

Additionally, the variant maintains its stealth posture by systematically removing artifacts associated with persistence mechanisms. Screenshots, audio captures, keylogging outputs, browser cookies, and registry entries are purged prior to termination.

The malware may also generate a temporary Visual Basic script to enable the deletion of proprietary or operational files before self-exiting, thereby reducing the residual indicators investigators might otherwise be able to utilize. As researchers observe, the malware has continuously refined its evasion and operational depths, illustrating its continued relevance in the remote access trojan ecosystem. 

During the execution phase, the malware conducts privilege assessments in order to determine the level of system access available for subsequent behavior based upon the privilege assessment. By utilizing this conditional logic, decisions regarding privilege escalation are influenced and high-impact actions can be executed, including the modification of protected directories, changes to registry keys, deployment of persistence mechanisms, or interference with security services—activities that typically require elevated privileges.

By tailoring its behavior to the access context, the malware enhances its survivability and effectiveness within compromised environments by increasing its survivability and effectiveness. As part of initialization routines, intent is obscured until execution is well underway.

As part of the configuration storage process, the binary stores parameters in encrypted or compressed form, allowing parameters to be decrypted only when the command-and-control infrastructure is established.

A layered sequence is created by setting persistence mechanisms, dynamically loading APIs, and selectively activating operational capabilities, thus concealing the full range of functionality during preliminary inspection. These architectural decisions reinforce Remcos RAT's primary objective of providing sustained, covered access accompanied by comprehensive data theft. This malware offers capabilities such as credential harvesting, real-time surveillance, and structured data exfiltration, allowing operators to extract sensitive information as well as maintain interactive control over compromised systems. 

Remcos' current form represents the next evolution of remote access malware—one where stealth, adaptability, and runtime obfuscation define the next phase in this evolving threat landscape. In addition to its layered execution chain, the malware performs a structured privilege assessment prior to initiating high-impact operations. 

By granting elevated rights, it is able to modify registry keys, deploy persistence mechanisms in protected directories, and interfere with or disable local security protocols. In order to prevent multiple concurrent executions of Rmc-GSEGIF, a uniquely named mutex is instantiated, thus ensuring operational stability and reducing the possibility that anomalous behavior may reveal the infection. 

Similarly, the command-and-control infrastructure is protected from direct examination. A malware binary does not contain a readable endpoint address, instead it stores an encrypted C2 address within the binary. As the string is reconstructed in memory during runtime, it can be utilized immediately to establish outbound communication via HTTP or raw TCP channels. 

Through the application of transient reconstruction, static indicators are minimized and the window for intercepting configuration artifacts prior to network activity is narrowed. Following the completion of surveillance and exfiltration tasks, the malware moves to a cleaning phase intended to reduce the possibility of forensic reconstruction. 

The keylogging outputs, screenshots, and audio recordings generated during the operation are systematically deleted, as well as cookies and registry entries associated with persistent access. To complete the self-erasure process, the malware drops a temporary script in the %TEMP% directory which is tasked with deleting remaining executable components before terminating the process. 

As a result of this staged removal mechanism, the evidentiary trail is fragmented, further complicating the analysis after the incident. It is noted by Point Wild researchers that incrementally refined yet consistent refinements of these techniques reflect a sustained commitment to operational resilience and stealth. 

As Remcos continues to evolve, they point out, Remcos reinforces its status as a flexible and enduring remote access trojan. A security team should intensify monitoring of anomalous outbound network connections and unauthorized registry modifications - indicators that may indicate the presence of run-time-obfuscated threats within enterprise environments. 

Among the key elements of the malware’s defensive architecture is the deliberate elimination of plaintext indicators. In the binary, the command-and-control endpoint is not stored in readable form, making it difficult to extract static strings, detect antivirus infections using signatures, and harvest indicators easily.

It is instead the C2 address (IP and port) that is encoded as an encrypted byte array during execution, which is subsequently reconstructed in memory by a byte-wise XOR operation before being sent to the networking layer for outbound communication. Further reducing static visibility, the malware dynamically loads WININET.dll at runtime in place of declaring imports beforehand, and uses the decrypted endpoint to communicate via HTTP or TCP. 

By implementing a transient reconstruction model, critical infrastructure details are reconstructed in memory in an ephemeral manner. This design philosophy is also applied to its surveillance modules. Keyloggers online follow the same structural logic as offline predecessors, but they do not rely on disk persistence.

Instead of writing intercepted keystrokes to local storage, they are packaged in structured payloads and sent directly through the established C2 channel, instead of writing them to local storage. User inputs are intercepted by input hooks, which are streamed to an attacker-controlled infrastructure in real time. 

In addition to minimizing forensic artifacts on the victim's file system by bypassing local file creation, the malware offers operators continuous visibility into active sessions, including browser-based interactions and credentials entry fields. As part of modularization, webcam monitoring capabilities remain flexible and minimize the static footprint of the system. 

Video capture logic is not embedded in the primary executable; rather, upon receiving a webcam-related command, it retrieves a dedicated Dynamic Link Library from the C2 server. After the module is delivered to memory or temporarily to disk, depending on configuration, the module is dynamically loaded with Windows API functions such as LoadLibrary, and specific exported routines are resolved with GetProcAddress. 

A video capture device is initialized, frames are collected, compressed or encoded, and the resulting data is returned to the core process after encoding or compressing. By using the compartmentalized approach, the captured output can be transmitted in segmented form over the existing obfuscated communication channel while maintaining a static signature for the primary payload that does not have to be expanded. 

As an example of additional extensibility, credential recovery plugins, including modules that expose functions such as FoxMailRecovery, that are loaded on demand in order to retrieve stored account information from targeted applications, exhibit additional extensibility. In order to execute and handle commands, a structured, text-based protocol is followed, encapsulating instructions and outputs within predefined string tokens prior to transmission. 

As a result of invoking specific execution flags, such as /sext, the malware temporarily writes the output of a command to a randomly named file within the malware's working directory when it is invoked. By reading, exfiltrating, and deleting the contents, operational continuity and persistent traces can be maintained. In conjunction with these mechanisms, a coherent architectural strategy is demonstrated that emphasizes runtime decryption, modular capability loading, and artifact suppression. 

By making sure sensitive configuration data, surveillance outputs, and auxiliary functionality are either memory-resident or transient, the new Remcos variant emphasizes the importance of security, adaptability, and sustained remote control in compromised Windows environments. These developments take together to illustrate an overall operational shift that cannot be ignored by defenders. 

The Remcos variant exemplifies a class of threats designed to run primarily in memory, minimize static indicators, and adapt dynamically to host conditions as needed. The conventional signature-based controls and perimeter-focused monitoring will not be sufficient to provide sufficient protection against runtime-obfuscated activities on their own. 

In addition to continuous monitoring of anomalous outbound traffic patterns, suspicious API resolutions in memory, unauthorized registry modifications, and irregular module loading events, security teams should prioritize behavioral detection strategies. 

The ability to detect subtle persistence and data exfiltration attempts will be largely dependent on improving endpoint detection and response capabilities, enforcing least privilege access policies, and analyzing telemetry across network and host layers. In an increasingly modular and stealthy environment, proactive detection engineering and disciplined threat hunting will be vital to reducing dwell times and minimizing operational impact.
Read more »
Windows
Avast malware PC Games pirated games Software Windows

Windows Malware Distributed Through Pirated Games Infects Over 400,000 Systems

 



A Windows-focused malware operation spreading through pirated PC games has potentially compromised more than 400,000 devices worldwide, according to research released by Cyderes. The company identified the threat as “RenEngine loader” and reported that roughly 30,000 affected users are located in the United States alone.

Investigators found the malicious code embedded inside cracked and repackaged versions of popular game franchises, including Far Cry, Need for Speed, FIFA, and Assassin’s Creed. The infected installers appear to function normally, allowing users to download and play the games. However, while the visible game content runs as expected, concealed code executes in parallel without the user’s awareness.

Researchers traced part of the operation to a legitimate launcher built on Ren'Py, an engine commonly used for visual novel-style games. The attackers embedded harmful components within this launcher framework. When executed, the launcher decompresses archived game files as intended, but at the same time initiates the hidden malware routine.

According to Cyderes, the campaign has been active since at least April of last year and remains ongoing. In October, the operators modified the malware to include an embedded telemetry URL. Each time the RenEngine loader runs, it connects to this address, allowing the attackers to log activity. Analysis of that telemetry endpoint enabled researchers to estimate overall infection levels, with the system recording between 4,000 and 10,000 visits per day.

Telemetry data indicates that the largest concentration of victims is located in India, the United States, and Brazil. The US accounts for approximately 30,000 of the infected systems identified through this tracking mechanism.

The loader’s primary function is to deliver additional malicious software onto compromised machines. In multiple cases, researchers observed it deploying a Windows-based information stealer known as ARC. This malware is designed to extract stored browser passwords, session cookies, cryptocurrency wallet information, autofill entries, clipboard data, and system configuration details.

Cyderes also reported observing alternative payloads delivered through the same loader infrastructure, including Rhadamanthys stealer, Async RAT, and XWorm. These programs are capable of credential theft and, in some cases, remote system control, enabling attackers to monitor activity or manipulate infected devices.

The investigation identified one distribution source, dodi-repacks[.]site, as hosting downloads containing the embedded malware. The domain has previously been associated with other malicious distribution activity.

Detection remains limited at the initial infection stage. Public scan results from Google’s VirusTotal platform indicate that, aside from Avast, AVG, and Cynet, most antivirus engines currently do not flag the loader component as malicious. This detection gap increases the likelihood that users may remain unaware of compromise.

Users who suspect infection are advised to run updated security scans immediately. If concerns persist, Windows System Restore may help revert the device to a prior clean state. In cases where compromise cannot be confidently removed, a full operating system reinstallation may be necessary.

The findings reinforce a recurring cybersecurity risk: unauthorized software downloads frequently serve as a delivery channel for concealed malware capable of exposing personal data and granting attackers extended access to victim systems.

Read more »
StealC
AI infostealer malware API Data Stealer GitHub malware MCP security vulnerability StealC

Hackers Use Fake Oura AI Server to Spread StealC Malware

 



Cybersecurity analysts have uncovered a fresh wave of malicious activity involving the SmartLoader malware framework. In this campaign, attackers circulated a compromised version of an Oura Model Context Protocol server in order to deploy a data-stealing program known as StealC.

Researchers from Straiker’s AI Research team, also referred to as STAR Labs, reported that the perpetrators replicated a legitimate Oura MCP server. This genuine tool is designed to connect artificial intelligence assistants with health metrics collected from the Oura Ring through Oura’s official API. To make their fraudulent version appear authentic, the attackers built a network of fabricated GitHub forks and staged contributor activity, creating the illusion of a credible open-source project.

The ultimate objective was to use the altered MCP server as a delivery vehicle for StealC. Once installed, StealC is capable of harvesting usernames, saved browser passwords, cryptocurrency wallet information, and other valuable credentials from infected systems.

SmartLoader itself was initially documented by OALABS Research in early 2024. It functions as a loader, meaning it prepares and installs additional malicious components after gaining a foothold. Previous investigations showed that SmartLoader was commonly distributed through deceptive GitHub repositories that relied on AI-generated descriptions and branding to appear legitimate.

In March 2025, Trend Micro published findings explaining that these repositories frequently masqueraded as gaming cheats, cracked software tools, or cryptocurrency utilities. Victims were enticed with promises of free premium functionality and encouraged to download compressed ZIP files, which ultimately executed SmartLoader on their devices.

Straiker’s latest analysis reveals an evolution of that tactic. Instead of merely posting suspicious repositories, the threat actors established multiple counterfeit GitHub profiles and interconnected projects that hosted weaponized MCP servers. They then submitted the malicious server to a recognized MCP registry called MCP Market. According to the researchers, the listing remains visible within the MCP directory, increasing the risk that developers searching for integration tools may encounter it.

By infiltrating trusted directories and leveraging reputable platforms such as GitHub, the attackers exploited the inherent trust developers place in established ecosystems. Unlike rapid, high-volume malware campaigns, this operation progressed slowly. Straiker noted that the group spent months cultivating legitimacy before activating the malicious payload, demonstrating a calculated effort to gain access to valuable developer environments.

The staged operation unfolded in four key phases. First, at least five fabricated GitHub accounts, identified as YuzeHao2023, punkpeye, dvlan26, halamji, and yzhao112, were created to generate convincing forks of the authentic Oura MCP project. Second, a separate repository containing the harmful payload was introduced under another account named SiddhiBagul. Third, these fabricated accounts were listed as contributors to reinforce the appearance of collaboration, while the original project author was intentionally omitted. Finally, the altered MCP server was submitted to MCP Market for broader visibility.

If downloaded and executed, the malicious package runs an obfuscated Lua script. This script installs SmartLoader, which then deploys StealC. The campaign signals a shift from targeting individuals seeking pirated content to focusing on developers, whose systems often store API keys, cloud credentials, cryptocurrency wallets, and access to production infrastructure. Stolen information could facilitate subsequent intrusions into larger networks.

To mitigate the threat, organizations are advised to catalogue all installed MCP servers, implement formal security reviews before adopting such tools, confirm the authenticity and source of repositories, and monitor network traffic for unusual outbound communications or persistence behavior.

Straiker concluded that the incident exposes weaknesses in how companies assess developing AI tools. The attackers capitalized on outdated trust assumptions applied to a rapidly expanding attack surface, underscoring the need for stricter validation practices in modern development environments.

Read more »
Strela Stealer Campaign
Detour Dog Threat Actor DNS Command And Control DNS Security Monitoring DNS TXT Record Exploit Initial Access Broker malware Strela Stealer Campaign

The Growing Threat of DNS Powered Email and Web Attacks


 

As an important component of the internet architecture, the Domain Name System has historically played the role of an invisible intermediary converting human intent into machine-readable destinations without much scrutiny or suspicion. However, this quiet confidence has now been put to the test. 

Research conducted by DomainTools has revealed a subtle yet consequential technique that redefines DNS into a covert delivery channel for malicious code rather than just a directory service. Rather than hosting payloads on compromised servers or suspicious domains, attackers fragment malware into tiny segments and embed them in DNS TXT records scattered across a variety of subdomains.

The fragments appear harmless when isolated, indistinguishable from legitimate configuration information. However, after systematically querying and reassembling-often by scripting PowerShell commands-the pieces combine to form fully functional malware. As a result of the implicit trust placed in DNS traffic and the limited visibility many organizations maintain over it, this methodical approach is inexpensive, methodical, and quiet. 

According to a report by Ars Technica, DNS infrastructure abuse is not merely theoretical. Threat actors have operationalized the technique in a manner that has been remarkable in its precision. In that instance, the malicious payload was converted into hexadecimal form and separated into hundreds of discrete chunks. As a result of the registration of whitetreecollective.com and generation of a large number of subdomains, the operators assigned each fragment to a distinct TXT record of the host. 

These records, individually, appeared to be indistinguishable from routine DNS metadata which is commonly used for verifying domains, authenticating email, and establishing service configurations. Collectively, however, they constitute a malware repository incorporated into the DNS infrastructure as a whole. Upon establishing foothold access inside a target environment, the reconstruction process did not require any more conspicuous methods than a series of DNS queries. 

Each encoded fragment was retrieved individually using scripted queries, which allowed the payload to be assembled in memory without the need for conventional file downloads or suspicious HTTP traffic. This retrieval mechanism blends seamlessly into ordinary network activity since DNS requests are ubiquitous and rarely subject to deep inspection, particularly in environments requiring encrypted resolvers. 

Even though DNS tunneling has long been associated with data exfiltration and command-and-control communications, the deliberate hosting of malicious payloads across TXT records represents a more assertive evolution in this area. 

Through the campaign, people illustrate the importance of comprehensive DNS telemetry, anomaly detection, and policy enforcement within modern enterprise security architectures, and demonstrate how foundational internet protocols, when inadequately monitored, can be repurposed into resilient delivery channels. 

Furthermore, investigations into DNS-enabled threat infrastructure revealed the activities of a threat actor identified as Detour Dog, who was the key enabler for campaigns to distribute the Strela Stealer malware. In accordance with Infoblox analysis, the actor is in control of domains hosting the initial malware component a lightweight backdoor called StarFish that is used to deliver the malware chain. 

During the first stage, the implant functions as a reverse shell, establishing a persistent communication channel that facilitates retrieving and executing the Strela Stealer payload. Informationblox has been tracking Detour Dog since August 2023, when Sucuri, a company owned by GoDaddy, reported security breaches targeting WordPress sites. 

Early operations involved the injection of malicious JavaScript into compromised websites to serve as covert command channels for traffic distribution systems using DNS TXT records. Visitors were silently directed to malicious sites or fraudulent pages.

Historical telemetry indicates a sustained and evolving presence of the actor since February 2020, suggesting that its infrastructure extends back as far as February 2020. Operational model has since matured. Where redirects once supported scams, DNS-based command-and-control frameworks now permit staged execution of remote payloads. 

According to IBM X-Force, StarFish is delivered through weaponized SVG files, enabling persistent attacks and hands-on access to compromised systems. A financially motivated operator has been identified as Hive0145 since at least 2022 as the sole operator responsible for the Strala Stealer, a criminal operation that has been functioning as an initial access broker monetizing unauthorized access to networks by reselling them to other criminals. 

Further, Detour Dog's DNS infrastructure was found to play a major role in 69 percent of confirmed StarFish staging hosts, highlighting its central role in the broader campaign. Additionally, the attack chain included a MikroTik-based botnet, marketed as REM Proxy, which was armed with SystemBC malware previously analyzed by Black Lotus Labs at Lumen Technologies. 

In addition to REM Proxy, Tofsee botnet, which historically propagated through PrivateLoader C++ loader, was also responsible for spam emails that delivered Strela Stealer. Detour Dog's infrastructure consistently hosted the first-stage payload on both distribution pathways, confirming the actor's role as a crucial DNS-centric facilitator within Strela's ecosystem.

When Detour Dog first emerged as a threat intelligence source, its activities seemed relatively simple. The primary use of compromised websites was to redirect visitors to fraudulent advertising networks, scam websites, and deceptive CAPTCHA pages that are intended to generate illegal revenue through forced clicks. However, telemetry indicated a strategic shift by late 2024. 

Initially, the infrastructure served as a traffic monetization strategy, but it soon became a distribution backbone for materially more dangerous payloads. A DNS-centric framework was observed to facilitate the delivery of Strela Stealer, a family of malware that steals information associated with the threat actor Hive0145, in mid-2025. 

The Strela campaigns, usually initiated through malicious email attachments themed around invoices, are intended to exfiltrate user credentials, session information, and host information stored in browsers. There is no indication that Detour Dog directly hosts final-stage malware binaries.

In reality, it appears to operate as a DNS relay layer, resolving staged instructions and retrieving remote payloads from attacker-controlled servers before relaying them through compromised web assets. Indirection obscures the true origin of malware and complicates the static blocking process. A detailed description of Detour Dog's operation remains unclear. It is unclear whether it functions solely as an infrastructure provider or concurrently runs its own campaigns. 

According to an analysis of infrastructure overlap and domain control, Detour Dog has provided DNS channels to other operators, including Hive0145, for distribution of payloads. According to internal research, nearly two-thirds of the staging domains associated with recent campaigns are controlled by Detour Dog, suggesting a delivery-for-hire model as opposed to a single threat operation whose focus is on a single, isolated threat. 

The primary entry point into the ecosystem continues to be email. Malicious attachments often masquerade as invoices or business documents and initiate a multi-stage infection process. This documentation does not embed the final payload in its entirety, but instead refers to compromised domains that query Detour Dog's name servers for further instructions.

By using DNS lookups as a precursor to remote execution, ostensibly benign clicks can be transformed into covert downloads and staging sequences as a result of a server-side retrieval process. Mass distribution has been linked to botnets such as REM Proxy, a MikroTik-based network, and Tofsee, while Detour Dog provides persistent hosting and DNS command and control relays to protect backend infrastructure against direct exposure. 

The segmentation of responsibilities reflects the increasingly modular nature of cybercriminals' supply chains. Among the groups, one manages spam dissemination, another provides DNS and hosting infrastructure resilience, and a third develops and operates the information-stealing payload. Such compartmentalization makes attribution and disruption difficult. 

A single component rarely dismantles an operation; actors can reconstitute infrastructure or redirect traffic in a matter of seconds if a single component is removed. As such, defensive strategies must include DNS-layer intelligence capable of detecting anomalous TXT record queries as well as covert command channels prior to downstream payload execution.

The example of Detour Dog demonstrates how foundational internet protocols can be used to deliver stealth payloads. It has been observed that threat actors embed malicious orchestration in routine DNS activity to transform everyday web traffic into an unobtrusive mechanism to deliver malware and exfiltrate data. 

As part of the prevention of this class of threat, organizations should elevate DNS from a background utility to a frontline security control by integrating visibility, validation, and enforcement across both email and resolution layers. There are wider implications for security leaders than just a single campaign or actor. 

Adversaries have begun weaponizing core internet infrastructure in a structural way by combining email lures, DNS staging, and modular malware services. Defense systems based primarily on perimeter filtering and endpoint detection are unlikely to identify threats that arise through routine name resolution. 

In order to maintain DNS observability, organizations must implement a strategy that correlates resolver telemetry with email security signals, enforces strict egress policies, verifies record integrity, and integrates threat intelligence into recursive as well as authoritative layers. 

DNS configuration auditing, anomaly detection of irregular TXT record patterns, and rigorous segmentation of web-facing assets are three effective ways to reduce exposure. As adversaries continue to operationalize trusted protocols for covert delivery, resilience will increasingly rely on disciplined architectural design that treats DNS as a decisive defense line rather than a background infrastructure.
Read more »
Subscribe to: Comments (Atom)