This morning, Cyble was recognized in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies as a Challenger. 

I want to use this post for two things. First, to thank the people who got us here. Second, to share what we believe this recognition actually signals — because the more interesting story isn’t about Cyble at all. It’s about where this category is going. 

A milestone for us, not a finish line 

Six years ago, when we started Cyble, the threat intelligence market was a fragmented mix of feed aggregators, dark web monitoring point tools, and incident-response heritage vendors trying to retrofit themselves into a different decade. We saw a different future: one where intelligence is AI-native by default, unified across the surface and dark web, delivered straight into the SOC workflow, and built for the speed adversaries actually move. 

We bet on that future hard. Today, several organizations across 50+ countries trust us to run that vision in production. And today, Gartner placed us in the Challengers Quadrant alongside what we believe are the most established names in the category. 

For us, being named “a Challenger” isn’t a footnote. It’s a signal that Cyble is now operating at the level of the incumbents — with a sharper, AI-native foundation underneath. That’s the bet finally paying off in public. 

What we believe this recognition signals about the category 

Three things, in order of importance: 

1. The category has changed. The buyer has too. 

A decade ago, threat intelligence was a research function. It produced reports. Today, threat intelligence is an operational function. It produces actions. The teams winning in 2026 don’t have time for a 40-page weekly bulletin — they need a platform that triages noise into signal at AI-speed and pipes it into the workflows their analysts already use. 

As we see it, the Magic Quadrant reflects that shift. The vendors moving up are the ones investing in operational depth, not just content depth. 

2. Unified beats fragmented. Always. 

The most consistent feedback we hear from CISOs is that they’re tired of stitching five tools together to investigate one threat. Dark web in one console. Brand monitoring in another. Attack surface somewhere else. Vulnerability prioritization in a fourth. Executive protection bolted on as an afterthought. 

Cyble’s bet from day one: this should be one platform. One workbench. One source of truth for everything happening outside your perimeter. The market is finally catching up to that thesis, and the analyst community is recognizing it. 

3. AI in CTI is past the demo phase. 

Three years ago, “AI in threat intelligence” mostly meant “we used a model to cluster keywords.” Today, AI is doing the work — translating a Russian-language forum post into context-rich intelligence, correlating leaked credentials with actual customer accounts in real time, predicting which CVEs will be weaponized in the next 30 days. Our customers run this in production, every day. 

We feel the Magic Quadrant recognition is, in part, recognition that this work is real now. It’s not a slide. It’s running in your SOC. 

What it doesn’t mean 

A few things I want to be careful about, because moments like this can encourage overstatement: 

• This recognition is not an endorsement. Gartner does not endorse vendors. The Magic Quadrant is a research opinion, not a buying recommendation. If you’re a security leader making a CTI decision, please do the diligence you’d do anyway — POCs, customer references, hands-on evaluation against your real use cases. 

• We are a Challenger, not a Leader. We’re proud of where we are positioned. We’re also clear-eyed about why we believe so: Leaders typically reflect a longer market tenure and broader feature surface, both of which compound with time. We have work ahead of us, and we know exactly where. 

• A quadrant placement doesn’t change a single threat in your environment. The work is still the work. Adversaries don’t read research reports. 

What we owe the people who got us here 

This is the part I care about most. 

To our customers: thank you. Every conversation about triage speed, dark web visibility, and SOC integration shaped what we built. You pushed us harder than any roadmap process ever could. 

To the Cyble team — every researcher, engineer, designer, CSM, seller, partner manager, ops person, recruiter — this milestone is yours. I get to write the blog post. You did the work. 

To the analysts and the broader research community: thank you for taking the time to understand what we’re building. The rigor in this category is what makes it credible. 

What’s next 

Three things you can expect from Cyble in the next 12 months: 

1. Deeper AI capabilities in the analyst workbench — predictive prioritization, automated investigation, language coverage in regions where adversaries are getting harder to track. 

2. Tighter SOC integration, including expanded native connectors and better evidence handoffs into your detection-engineering and IR workflows. 

3. Broader category coverage — third-party risk, executive protection, brand intelligence — all delivered in one pane of glass, not bolted on. 

And in 18 months, we plan to be a different name on a different part of the quadrant. That’s the work. 

If you want to read the report, we’ve made a complimentary copy available here: Access the report here. 

If you want to talk about what this means for your CTI program, contact our team, here. 

To everyone who’s been part of this journey — customers, Cyblers, partners, analysts — thank you. 

We’re just getting started. 

— Beenu Arora Co-Founder & CEO, Cyble 

Gartner, Magic Quadrant for Cyber Threat Intelligence Technologies, Jonathan Nunez, Carlos De Sola Caraballo, Jaime Anderson, May 4, 2026. 

Gartner and Magic Quadrant are trademarks of Gartner, Inc. and/or its affiliates. 

Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose. 

The post Cyble Recognized in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies — and What Cyble Feels It Means for the Next Era of Threat Intel appeared first on Cyble.

Executive Summary

Cyble Research and Intelligence Labs (CRIL) has uncovered a targeted cyberespionage campaign leveraging social engineering and trusted infrastructure to establish persistent, covert access to victim systems.

The attack is delivered via phishing emails containing a malicious LNK file disguised within a RAR archive, using a Russian humanitarian aid request form to exploit contextual trust. Evidence of a secondary survey-based lure indicates the threat actor is actively refining delivery techniques.

Execution triggers a stealthy, multi-stage infection chain in which a decoy document is presented to the user while a heavily obfuscated, fileless (PE-less) Python-based implant is silently deployed.

The payload is retrieved from GitHub Releases, enabling the attacker to blend malicious traffic with legitimate services and evade traditional detection mechanisms. Persistence is established through scheduled tasks, ensuring long-term, resilient access.

Once active, the implant operates as a full-spectrum surveillance platform, enabling credential harvesting, keystroke logging, clipboard and screenshot capture, sensitive data exfiltration, and covert remote access. The campaign prioritizes continuous intelligence collection while maintaining a low operational footprint and minimal user visibility.

While attribution remains inconclusive, the artifacts strongly suggest a deliberate intelligence-gathering operation likely targeting Russian-speaking individuals or entities.

Key Takeaways

• The LNK file contains self-obfuscated content that is extracted and executed by PowerShell, using a deliberate technique to evade automated sandbox analysis.
• Multiple lure types themed around humanitarian aid, written in Russian, have been observed, suggesting the intended targets are Russian-speaking individuals, and the threat actor is actively adapting delivery approaches.
• The payload is obfuscated using PyArmor and hosted on GitHub Releases, a deliberate combination to evade static detection and bypass network-level security controls.
• During analysis, the implant was observed collecting browser credentials, session cookies, keystrokes, clipboard data, screenshots, Telegram session data, and sensitive files from the victim's machine.
• Remote desktop access is established silently using RustDesk or AnyDesk, giving the attacker persistent interactive access to the victim's machine with no visible window.
• Persistence is achieved through a Windows Scheduled Task that survives system reboots, ensuring the implant remains continuously active in the background.
• The threat actor behind this campaign has not been conclusively attributed. The campaign uses a surveillance-first, PE-less Python architecture and custom C2 infrastructure, consistent with a targeted espionage operation.

Technical Analysis

This section provides a detailed walkthrough of the attack chain, from initial delivery to payload execution and data collection, based on static and dynamic analysis of the identified samples.

Stage 1: Malicious LNK File Delivery

The infection begins with a Windows shortcut file delivered to the target.

The LNK file is significantly larger than a typical Windows shortcut, as it contains self-obfuscated Unicode content embedded within its body. PowerShell reads this content from a specific offset, decodes it, and executes it in memory. This is a deliberate anti-sandbox technique, as the malware will not execute if the original file is absent from disk, making it appear clean to automated scanning tools.

Stage 2: Decoy Lure Delivery

Upon execution, the malware downloads a Russian-language humanitarian aid request form ("O predostavlenii gumanitarnoy pomoshchi") from the C2 server, saves it to %TEMP%\open_doc, and displays it to the victim. The lure of both the RAR archive and the LNK file reference humanitarian aid, reinforcing the lure's credibility.

While the victim reads the document, the real installation runs silently in the background. A second variant involving a survey link (hxxp[:]//159.198.41.140/test/index.php?r=survey/index&sid=936926&newtest=Y&lang=ru%22) has also been observed.

Stage 3: Python Environment Bootstrap

The malware creates a fully self-contained Python environment inside the user's %appdata% folder, requiring no administrator privileges.

`The installation directory is named WindowsHelper to mimic a legitimate Windows system component. The malware correctly handles a known technical requirement for Python's embedded distribution (patching the ._pth file to enable pip), a detail that reflects genuine developer skill. The following Python libraries are installed, each enabling a specific capability:

Stage 4: Payload Download and Persistence

The main payload is downloaded from a dedicated GitHub account. Storing it in GitHub Releases rather than the repository code is a deliberate evasion choice, as release artifacts receive less scrutiny from automated scanners and updates can be pushed silently with no commit history. The same account also hosts clean, legitimate files, including the Python embedded runtime and pip installer, making the entire download chain appear as normal GitHub traffic.

Beyond the malicious payload, the same GitHub account also hosts the Python embedded runtime (python-3.12.10-embed-amd64.zip) and the pip installer (get-pip.py) as separate release tags. These are clean, legitimate files. Hosting them on the same repository allows the attacker to download and bootstrap the entire Python environment from a single trusted source, making the full installation chain appear as normal GitHub traffic to network monitoring tools.

The attacker's GitHub Release page shows frequent republishing of data.zip, with its sha256 hash changing across versions, confirming the threat actor remains active and is continuously updating the campaign payload.

Persistence

Two silent VBScript launchers, run.vbs and launch_module.vbs, invoke the payload through pythonw.exe with no visible window.

A Windows Scheduled Task named “WindowsHelper” is registered to run at a short recurring interval, ensuring the implant persists across reboots and remains continuously active in the background.

Stage 5: Active Payload Capabilities

The main payload, module.pyw, is protected with PyArmor v9.2 Pro, a commercial obfuscation tool that converts Python bytecode into a format that resists static analysis and decompilation. Analysis of the disassembled bytecode revealed the following active capabilities:

Browser Credential and Cookie Collection

The implant collects stored passwords and session cookies from all major Chromium-based browsers, including Firefox. For Chromium browsers, it extracts the AES-GCM master key from the Local State file and uses it to decrypt stored credentials. It handles both legacy DPAPI-based decryption and newer Chrome encryption schemes (v10, v11, and v20).

• Target browsers: Chrome, Edge, Brave, Opera, Yandex Browser, Firefox
• Functions identified in bytecode: get_master_key, decrypt_chromium_data, extract_chromium_passwords, collect_and_send_cookies, extract_login_data, extract_firefox_passwords

Keylogging

Keystrokes are captured continuously via the keyboard library, stored in keystrokes_log.txt, and periodically uploaded to the C2 server.

Clipboard Monitoring

The malware monitors clipboard contents in real time using the pyperclip library. Any text copied by the victim, including passwords, tokens, and other sensitive content.

Screenshot Capture

The mss library captures continuous desktop screenshots, which are archived as ZIP files and uploaded periodically. Old archives are automatically cleaned up to avoid excessive disk usage.

File Collection

The implant recursively scans user directories, skipping system folders and low-value file types, to collect documents, configuration files, and credential stores.

This selective filtering is designed to identify high-value files, including documents, configuration files, source code, and credential stores on the Desktop, in Documents, and similar user locations.

A SQLite database inventory_state.db tracks scanned files to avoid re-uploading unchanged content. Files are also scanned for 64-character hexadecimal strings consistent with cryptocurrency private keys.

Telegram Session Collection

The tdata session folder is extracted and uploaded, giving the attacker full access to the victim's Telegram account without requiring a password.

Remote Access via RustDesk and AnyDesk

Static analysis of the payload reveals the capability to silently download and install RustDesk and AnyDesk. RustDesk, signed by Open Source Developer Huabing Zhou, is a legitimate remote desktop tool that is being abused here to blend in with normal software. The code is designed to hide the application window from the victim and to send the connection credentials back to the C2 server, potentially giving the attacker persistent remote desktop access.

Command and Control Infrastructure

All collected data is transmitted to a single attacker-controlled server. The server hosts a custom-built login panel (Login - Dashboard) that the attacker can use to access all collected data, monitor active implants, and initiate remote desktop sessions.

The C2 server was confirmed live and serving the attacker's login panel as of May 2026. The use of a commercial VPS provider with low-friction provisioning reflects a common pattern among threat actors seeking to quickly deploy and replace infrastructure.

Attribution:

The intended targets of this campaign appear to be Russian-speaking individuals, as evidenced by the Russian-language lure content referencing humanitarian aid. The use of a humanitarian aid application form as a decoy suggests the targets may include individuals or organizations involved in aid distribution, civil administration, or related government functions.

Conclusion

This campaign represents a well-constructed, technically capable cyberespionage operation. The attacker combines a convincing Russian-language humanitarian aid lure with a multi-stage infection chain that silently deploys a full-featured surveillance platform on victim machines.

The Python implant goes beyond credential collection. It enables the attacker to monitor every action a victim takes, collect active browser sessions, capture communications, and maintain live remote desktop access.

The use of PyArmor v9.2 Pro for payload obfuscation, GitHub Releases for payload hosting, and a custom Flask C2 panel demonstrates a technically skilled and operationally disciplined threat actor.

The campaign is active and ongoing. The Russian-language lure content and humanitarian aid theme point to Russian-speaking individuals as the intended target audience.

The use of multiple lure types, particularly humanitarian ones, indicates active development and adaptation. Organizations and individuals should treat this as an active threat and apply the recommendations in this report.

Recommendations

• Treat unsolicited files received through email or messaging platforms with caution, especially compressed archives and shortcut files. Verify the sender through a separate trusted channel before opening any attachment.
• Enable file extension visibility in Windows to prevent files from being disguised using misleading names or double extensions.
• Regularly audit the Windows Task Scheduler for unexpected or newly created tasks, particularly those scheduled to run at short, recurring intervals without a known business justification.
• Monitor endpoint activity for the creation of self-contained scripting environments in user-writable directories, as this is a common technique for executing malicious code without administrative privileges.
• Block outbound network traffic to known malicious infrastructure at the perimeter and alert on downloads from newly registered or low-reputation hosting accounts on code-sharing platforms.
• Monitor for the silent installation of remote desktop tools by non-administrative processes, as legitimate software abused for remote access is a growing attacker technique that can be difficult to detect without process-level visibility.
• Deploy endpoint detection rules targeting obfuscated or packed script files appearing in non-standard user directories, as commercially packed payloads are increasingly used to evade static analysis.
• Ensure security teams have visibility into scheduled task creation, scripting interpreter activity, and outbound HTTP connections from user-space processes, as these are the primary indicators of this class of threat.

MITRE ATT&CK TTPs

Indicators of Compromise (IOCs)

The post Operation HumanitarianBait: An Infostealer Campaign in Disguise appeared first on Cyble.

We are excited to share that Cyble has been recognized as a Challenger in the 2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence. Check back for a complimentary copy of the full report soon!

In our view, this recognition reflects what we hear from the security teams we work with every day: that the threat intelligence category is being redefined by speed, AI, and operational impact — and we believe Cyble is built for exactly that shift. To us, today’s recognition is a starting line, not a finish line: we think the next era of CTI belongs to platforms that are AI-native, unified across the surface and dark web, and delivered straight into the SOC workflow.

Gartner delivers actionable, objective insight to executives and their teams. Its expert guidance and tools enable faster, smarter decisions and stronger performance on an organization’s mission-critical priorities.

The Gartner Magic Quadrant evaluates vendors based on their Ability to Execute and Completeness of Vision. We are honored to be included among the recognized vendors in this important report. Learn more about the Magic Quadrant.

Report citation

Gartner, Magic Quadrant for Cyber Threat Intelligence, Jonathan Nunez, Carlos De Sola Caraballo, Jaime Anderson, 04-05-2026

Disclaimer (paste in full at the bottom of the page)

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally. MAGIC QUADRANT is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

The post Cyble Named a Challenger in the 2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence appeared first on Cyble.

Executive Summary

Cyble Research and Intelligence Labs (CRIL) identified a campaign of over 16,800 malicious domains active since early 2026. It uses a potent technique — embedding government labels as subdomains to fake trust without DNS authority. We have dubbed this 'Operation TrustTrap'.

Spoofed portals resolve to infrastructure concentrated across Tencent Cloud and Alibaba Cloud APAC nodes, impersonating citizen-facing government services across several US states, with targeting extending into India, Vietnam, and UK-adjacent geographies. A distinct infrastructure cluster within the dataset we investigated carries TTPs consistent with APT36.

The campaign's sophistication isn't in technical exploits but in exploiting how humans interpret web addresses. Attackers no longer compete with security controls at the binary level but target the cognitive layer—when a user's eye scans a URL and decides whether to click.

Key Takeaways

• 16,800 unique malicious domains identified across major US states and agencies
• Domains weaponize the visual trust of "*.gov" by positioning it in non-root subdomain positions
• Three distinct obfuscation classes: subdomain injection, hyphen manipulation, and combined abuse
• Infrastructure clustering reveals overlapping IPs concentrated in Tencent Cloud ASNs (China)
• Campaign extends beyond the US to India, Vietnam, and NHS-themed lures in the UK
• Over 62% of these domains had very few detections on VirusTotal
• Registrar concentration: Gname.com Pte. Ltd. dominant; TLDs of choice were .bond, .cc, .cfd
• Infrastructure and TTPs show consistency with known government-targeting threat clusters
• A distinct APT36-consistent infrastructure cluster identified within the dataset targeting Indian Government Entities

Campaign overview

A routine sweep by Cyble Research and Intelligence Labs (CRIL) uncovered a coordinated infrastructure of over 16,800 malicious domains. These domains were designed to make fraudulent URLs appear as government websites.

Our expanded search yielded infrastructure correlation, registrar clustering, certificate metadata, and shared hosting IP analysis. The campaign grew from dozens to thousands of domains, ultimately producing a dataset of 16,800 confirmed malicious domains with a consistent construction logic.

What Are These Domains Actually Used For?

Though several domains appear to be benign at the point of registration — serving no active content — they function as a pre-provisioned operational reserve. Domains are registered in bulk and held dormant until a campaign wave is triggered. At this point, they are rapidly activated to host government-themed phishing portals designed to harvest credentials and device information.

A subset operates as staging infrastructure, dynamically loading second-stage payloads — credential exfiltration endpoints or malicious scripts — after the victim has already landed on the spoofed page. This separation between the delivery domain and the payload host is deliberate: it keeps the user-facing URL clean while the actual malicious logic lives one layer deeper, significantly narrowing the window for detection and takedown.

Targeting Geography: Who Is Being Impersonated?

Analysis of the 16,800 domains reveals a heavily US-centric campaign, with systematic coverage of virtually every US state. The targeting is not random — it skews toward states with high-volume citizen-facing digital services, particularly Department of Motor Vehicles (DMV) portals, toll payment systems, and vehicle registration renewals. These are services characterized by time-sensitive transactions, financial exchange, and strong citizen familiarity — ideal conditions for social engineering.

Top Targeted US Entities

Beyond the United States: International Footprint

While the campaign is overwhelmingly US-focused, CRIL identified targeting extending into at least three additional geographies:

The variants targeting India are particularly noteworthy from a threat intelligence perspective. The pattern www.in.gov-[id].bond specifically mimics the structure of Indian government portals (which use the *.gov.in TLD convention) through subdomain injection — consistent with the analytical framework CRIL has described as trust-token positioning attacks.

Registrar Dominance

Gname.com remains dominant, but two additional registrars were identified across the extended dataset.

Dominet (HK) Limited, a Hong Kong-based registrar with a documented history of abuse across multiple phishing campaigns, accounts for 10.5% of the analyzed domains.

NameSilo, LLC accounts for a small fraction. Still, its presence alongside the primary registrars suggests the operator is diversifying provisioning sources, likely to reduce the risk of bulk registrar-level takedowns.

The concentration of infrastructure in Tencent and Alibaba Cloud ASNs is a notable attribution signal. The registrar pattern, particularly the dominance of Gname.com, a Singapore-based registrar with a significant Chinese customer base, combined with the APAC IP clustering, points to an operator or operator group with consistent access to low-cost Chinese cloud infrastructure.

Operational Lifecycle

Domains observed returning active HTTP 200 responses and live phishing content in early April 2026 were fully unresolvable by late April 2026.

This confirms the rapid rotation lifecycle the campaign relies on: domains are activated for a narrow operational window and then abandoned or rotated, deliberately narrowing the time available for detection, blocklist addition, and takedown.

Deceptive Domain Spoofing: Core Technique Breakdown

Technique 1: Subdomain Trust Injection

The most prevalent technique in the dataset involves embedding a legitimate-looking government domain token — such as mass.gov, wa.gov, or az.gov — in the leftmost subdomain position of a fraudulent domain.

The critical structural insight: in every legitimate government URL, the .gov component appears as a top-level domain directly before the rightmost domain separator. In the malicious variants, gov appears as part of a subdomain label. The DNS authority rests entirely with the registrant of the rightmost domain — not with any government entity.

Technique 2: Hyphen-Based Semantic Manipulation

A second class of obfuscation weaponizes the hyphen character to break known trust tokens into subtly altered, yet visually similar, forms. By inserting hyphens at strategic positions within familiar government identifiers, attackers construct strings that resist regex-based detection while remaining legible to the human eye.

Technique 3: Combined Obfuscation Strategy

The domains in this dataset combine both techniques: subdomain trust injection with hyphen manipulation, alongside innocuous-sounding benign word insertion. This layered approach maximizes deception while minimizing the technical footprint:

Active Phishing URL Structure

Active phishing URLs observed across the infrastructure consistently used a double-query-string parameter pattern: ?var1=xxxxx?var2=xxxxx.

This structure serves as a session-tracking mechanism, assigning unique identifiers to individual victims to monitor engagement. Its consistent use across hundreds of URLs confirms an organized, kit-driven operation rather than manually managed individual campaigns.

Path structures observed across active URLs confirm the agency-specific targeting:

• /dmv (Department of Motor Vehicles)
• /mvd (Motor Vehicle Division)
• /dol (Department of Licensing)
• /dot (Department of Transportation)
• /mve (Motor Vehicle Enforcement)
• /mvc (Motor Vehicle Commission)
• /rmv (Registry of Motor Vehicles)

Each path maps to the specific agency being impersonated by the subdomain prefix.

Some of the examples of active phishing portals are shown below (see Figure 5 and Figure 6)

APT36 Infrastructure Cluster: Attribution Signals

During infrastructure correlation, CRIL identified a distinct cluster of domains exhibiting TTPs consistent with APT36 (also tracked as Transparent Tribe, ProjectM, and TEMP.Lapis) — a Pakistan-nexus threat actor with a well-documented history of targeting Indian government entities, defense personnel, and diplomatic infrastructure.

The attribution is assessed with moderate-to-high confidence based on the convergence of the following signals across the cluster:

• Campaign overlap: Lure themes targeting Indian government portals align directly with APT36's documented preference for spoofing Indian ministry and defense-adjacent web properties
• Infrastructure reuse: Shared hosting IPs (particularly within the Tencent Cloud and Alibaba APAC ASN ranges) overlap with previously documented APT36 staging infrastructure observed in 2024–2025 campaigns
• TLD and registrar pattern: The .bond and .cc TLD preference, combined with Gname.com registration, is consistent with APT36's known operational playbook for disposable domain provisioning
• Target geography correlation: The India-specific trust injection pattern reflects the threat actor with specific knowledge of how Indian government URLs are structured (*.gov.in) and how to exploit that structure visually
• Subdomain construction logic: The random suffix characters mirror the automated domain-generation behavior documented in prior APT36 bulk registration events.

Conclusion

Operation TrustTrap is a coordinated campaign involving 16,800 malicious domains across all US states, as well as India, Vietnam, and the UK, often using UK-themed lures.

The campaign exploits visual and cognitive trust mechanisms rather than technical vulnerabilities, rendering traditional detection methods ineffective.

The shift from domain spoofing to trust-layer manipulation represents a meaningful evolution in adversarial capability that demands a corresponding evolution in defensive architecture. Pattern-driven discovery, eTLD+1-aware detection tooling, intent-based domain risk scoring, and revised security awareness programs are the pillars of an adequate response.

CRIL will track this campaign cluster and update IoCs as new infrastructure emerges. All indicators have been submitted to Cyble's threat feeds and are accessible to Vision platform customers for blocking and correlation.

Organizations, especially those in US state governments, transportation agencies, and DMV-like services, should view this campaign as an active threat and prioritize detection and review against the failure modes outlined in this report.

Recommendations

Based on the findings presented above, CRIL recommends the following actions for immediate consideration by security teams and organizations:

• Implement eTLD+1-aware URL parsing across all email security, proxy, and endpoint controls.
• Build or acquire detection rules that evaluate the structural position of government trust tokens, not merely their string presence.
• Apply domain risk scoring that weights registrar identity, TLD, hosting ASN, and domain registration age as compounding signals.
• Integrate campaign-cluster pivoting from confirmed IoCs into threat hunting workflows, using shared IP resolution as the primary pivot axis.
• Revise security awareness materials to teach structural URL interpretation, with a specific focus on identifying the root registered domain as distinct from subdomain labels.
• For organizations in the transport, DMV, and toll payment space: issue proactive user advisories advising that official payment communications will never be delivered via SMS with embedded URLs.

The need for a proactive cyberdefense stance

The current threat landscape includes a multitude of Social Engineering campaigns. Security teams need more than reactive controls to keep ahead of these.

Solutions such as Cyble Vision deliver operational intelligence that enables defenders to stay ahead of adversaries through early detection, campaign-level visibility, and infrastructure mapping.

Cyble Vision specifically empowers security teams to move beyond isolated detection, providing the strategic insight needed to anticipate threats, monitor adversary activity, and respond with precision at every stage of the attack lifecycle. Security teams can take necessary preventive action with the help of:

• Real-Time IOC Monitoring
  Enable continuous tracking of indicators tied to adversary infrastructure, before they reach end users.
• Credential Phishing Infrastructure Mapping
  Map attacker-controlled infrastructure, including fake authentication portals, dynamic exfiltration endpoints, and backend logic designed to capture credentials.
• Brand and Executive Impersonation Monitoring
  Detect domain spoofing and impersonation attempts targeting internal functions such as HR and Finance—often used to increase trust and exploit user familiarity.
• Deep and Dark Web Visibility
  Surface chatter, leaked credentials, and phishing toolkits from deep/dark web sources, offering early insight into attacker preparation and target selection.
• Global Targeting Intelligence
  Track phishing activity across global regions—including North America, EMEA, and APAC—as well as over 70 industry sectors, providing defenders with contextual understanding of targeting patterns.
• Threat Actor Attribution and TTP Correlation
  Associate infrastructure, techniques, and behavioral patterns with known threat actors, empowering security teams to prioritize response based on adversary capability and intent.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

The post Operation TrustTrap: Anatomy of a Large-Scale Deceptive Domain Spoofing Campaign appeared first on Cyble.

Executive Summary

Cyble Research and Intelligence Labs (CRIL) has been monitoring a significant surge in the use of “MiningDropper”, a sophisticated Android malware delivery framework that combines cryptocurrency mining capabilities with the deployment of infostealers, Remote Access Trojans (RATs), and banking malware.

MiningDropper employs a multi-stage payload delivery architecture that combines XOR-based native obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques. This layered design enables threat actors to evade static detection, delay analysis, and dynamically control the delivery of the final payload.

Our analysis indicates that MiningDropper is being actively leveraged across multiple campaigns, with a particularly notable infostealer campaign targeting Indian users, alongside a BTMOB RAT campaign affecting LATAM, Europe, and Asia.

Additionally, large-scale telemetry analysis shows widespread distribution with low detection rates, highlighting the effectiveness of its evasion techniques and the rapid reuse of its modular architecture across campaigns.

Key Takeaways

• MiningDropper is a multi-stage Android malware delivery framework that combines cryptocurrency mining activity with the deployment of additional malicious payloads.
• The recently identified MiningDropper variant leverages a trojanized version of the open-source Android application project “Lumolight”.
• Dropper implements layered obfuscation (XOR + AES) and native code execution to evade detection and hinder analysis
• Uses a state-driven payload execution, initially deploying a miner before transitioning to user-defined payloads
• Actively used in phishing campaigns impersonating RTO services, banks, telecom providers, and popular applications
• Delivers malware payloads, including infostealers and BTMOB RAT, capable of full device compromise
• Over 1,500+ samples observed, with more than 50% exhibiting low antivirus detection, indicating ongoing evasion and rapid campaign scaling

Dropper Characteristics

Overview

Recently, CRIL observed a notable surge in the use of MiningDropper (also referred to as BeatBanker) as an adaptable malware delivery framework for distributing infostealers, Remote Access Trojans (RATs), and banking malware.

The threat actor employs a multi-stage payload architecture that incorporates XOR-based native-string obfuscation, AES-encrypted payload staging, and anti-emulation techniques, significantly complicating detection and analysis.

Our investigation revealed that MiningDropper is actively leveraged across multiple campaigns, with particularly notable activity observed in two primary campaign clusters:

Infostealer Campaign

This campaign primarily targets users in India by impersonating:

• Regional Transport Office (RTO) services
• Banking institutions
• Telecom providers

In October 2025, Cyble analyzed a campaign that used RTO services as a lure, during which multiple malware variants were identified, including one that used MiningDropper. In its more recent variant, MiningDropper incorporates native code along with a trojanized open-source application.

In this campaign, victims are lured to download malicious APK files via phishing websites or social media platforms, ultimately leading to the deployment of infostealer payloads designed to harvest sensitive user and financial data.

The following sites were identified as distributing MiningDropper as part of an infostealer campaign:

• hxxps://cardcpp[.]online/imobile.apk
• hxxps://hamzaansari1612-ux[.]github.io/ICICI00/imobile.apk
• hxxps://getchaiian[.]short.gy/Getchallan0176
• hxxps://raw.githubusercontent[.]com/singhsonali3021-pixel/my-apk/main/ICICI%20BANK%20CREDIT%20CARD.apk
• hxxps://cardhelp[.]live/SBICreditCard.apk
• hxxps://downloadhdfcapp[.]pythonanywhere.com/download/latest.apk
• hxxps://protectcc[.]online/imobile.apk
• hxxps://dkfootwearstore[.]shop/Jio%20Free%20Recharge.apk
• hxxps://www.icicimanagecards[.]online/iMobile%20Lite.apk

BTMOB RAT Campaign

The second campaign distributes MiningDropper via fraudulent sites targeting users across:

• Europe
• Latin America
• Asia

In this case, the dropper delivers BTMOB RAT, a full-featured Android remote access trojan. We first identified BTMOB RAT in February 2024 as a variant of the SpySolr malware, capable of credential harvesting, device takeover, real-time remote control, and facilitating financial fraud operations.

At the time of its initial discovery, the malware was distributed without a packer and was detected by multiple antivirus products. However, in recent campaigns this year, BTMOB RAT is being distributed via MiningDropper, significantly reducing its detection footprint to as few as 1–3 detections.

The following phishing sites were identified as distributing MiningDropper as part of a BTMOB RAT campaign:

• hxxps://www[.]kavoutai[.]com/signed[.]apk
• hxxps://free-secure[.]com/Free%20Secure%20-%20Annulation[.]apk
• hxxps://litter[.]catbox[.]moe/o6pxvp[.]apk
• hxxps://tv-pluto[.]vercel[.]app/PlutoTv[.]apk
• hxxps://www[.]dl[.]dropboxusercontent[.]com/scl/fi/r9d5y9ch1k7dwvw6l36rj/TecnoCasaFotosPiso[.]apk?rlkey=z6n2qvft8v3nzm66fgy6acwcx
• hxxps://googleeplaaystore[.]pages[.]dev/assets/AGENDA2026[.]apk

Over the past month, we identified more than 1,500 MiningDropper samples in the wild, highlighting the rapid proliferation and reuse of this malware framework. Detection telemetry reveals:

• A majority of samples cluster at very low detection rates, with over 50% exhibiting minimal antivirus coverage, indicating effective evasion techniques
• The largest concentration of samples (~668) shows only 3 AV detections, suggesting widespread undetected distribution

These observations underscore that MiningDropper is not merely another Android dropper, but a scalable malware-as-a-framework, enabling threat actors to efficiently deploy diverse payloads while maintaining a low detection footprint.

A detailed technical analysis is presented in the following section.

Technical Analysis

MiningDropper employs a multi-stage, modular architecture combining native code, dynamic loading, staged decryption, and configuration-driven payload delivery. Each stage progressively unpacks the next payload while minimizing static exposure and hindering detection.

For the technical analysis, we analyzed the APK “Free Secure - Annulation.apk” (58a94f889547db8b2327a62e03fb2cce3bda716278d645ee8094178ecda2e9e6), which is being distributed via a phishing site “hxxps://free-secure[.]com/Free%20Secure%20-%20Annulation.apk”.

Initial Native Stage

The threat actors appear to have trojanized the open-source Android application project “LumoLight.” The malicious activity is executed via the application subclass, which loads the native library “librequisitionerastomous.so.” This library contains XOR-obfuscated strings that are decrypted at runtime, a technique used to hinder static analysis and evade automated detection mechanisms.

After decrypting the strings from the native code, it is evident that the native library has implemented anti-emulation techniques. The application checks platform details, system architecture, and device model information to determine whether it is running on an emulator.

If an emulated or rooted environment is detected, the malware terminates its malicious execution.

The native library is also responsible for decrypting and executing the first-stage payload from the APK’s assets directory. The asset “x7bozjy2pg4ckfhn” is decrypted using a long hardcoded XOR key, producing the first-stage DEX payload.

After decrypting the first-stage payload, the native code dynamically loads the DEX file using DexClassLoader and invokes the malicious class “com.example.virusscanbypassbootstrapper.DexLoader.”

First Stage Payload

The decrypted first-stage payload acts primarily as a bootstrap loader. Its main purpose is to receive execution from the native library, decrypt the next-stage payload, and execute it. This stage contains a loadDex() method that decrypts the second-stage payload and executes it via dynamic code loading.

The first stage retrieves the encrypted second-stage file “4ozvcznaamqmioqf/sorxbqp8” from the assets folder and decrypts it using AES.

The AES key is derived from the first 16 bytes of the SHA-1 hash of the filename sorxbqp8, showing that the TA uses filename-derived key material rather than storing raw AES keys directly.

This approach slightly increases analysis effort because the decryption key must be reconstructed from the naming logic rather than extracted as a static constant.

After decryption, the first stage loads the recovered second-stage dex using Dex Class Loading.

Second Stage Payload

The second-stage payload is the most visible portion of the chain from the victim’s perspective. It presents a fake Google Play update interface that deceives the user into believing a legitimate update or service repair is underway.

This stage effectively serves as the social-engineering layer of the infection flow, masking the malicious installation behind a familiar Android/Google-themed update prompt.

In addition to the visual lure, the second stage loads the class com.qnez.sarcilistranscendingly.App responsible for decoding and orchestrating the remaining stages. This component decrypts the file “jajmanpongids” using AES, again deriving the key from the first 16 bytes of the SHA-1 hash of the filename plus the suffix 1.

In this case, the effective key material is based on jajmanpongids1. The decrypted output is a ZIP archive that contains the third-stage installer components.

Based on the observed code paths, the malware operates in two distinct modes: one linked to the “miner” component and the other to a “user payload.”

The behavior indicates that the second-stage payload initially activates the miner module, then transitions state—either upon completion or failure—and then executes the user-defined payload.

This distinction highlights that the campaign is built to support flexible, multi-purpose monetization rather than a fixed single-payload approach.

The second stage also decrypts one of two configuration files from assets: “norweyanlinkediting” for the miner path or “udela” for the user-defined path. Both use the same AES pattern, with the key derived from the first 16 bytes of the SHA-1 hash of the filename plus 1.

For the user-defined payload, the decrypted configuration contains:

{"isRemoteControl": true, "isTestKeyEnabled": false, "splits": ["transnaturationsaxhorn", "mischanterperilling", "unwieldlyostearthritis"], "subscriptionEndMillis": 1777220616438, "messageAuthenticationCode": "HaZRwGj6UZDpqKSf43o/Cg==", "simpleInstaller": "deprecated"}

For the miner payload, the configuration contains:

{"isRemoteControl": false, "isTestKeyEnabled": false, "splits": ["bilbopseudomelanosis"], "subscriptionEndMillis": 4611686018427387903, "messageAuthenticationCode": "eVAmHju3UqrVWR56gOMaUQ==", "simpleInstaller": "deprecated"}

The third-stage payload uses these configuration files to identify which encrypted asset files correspond to the remote control payload and which are associated with the miner component.

Third Stage Payload

The third-stage payload is extracted from the decrypted ZIP archive “jajmanpongids.zip”, which contains the DEX file “enchantmentcrosses” along with ARM native libraries. Similar to earlier stages, this payload leverages native code and XOR-based string obfuscation to evade analysis.

Functionally, it operates as a split-APK installer module that reconstructs and installs the final payload package using components defined in the configuration.

Final Payloads

For the user-defined path, the third stage processes the three split entries listed in the configuration: transnaturationsaxhorn, mischanterperilling, and unwieldlyostearthritis. These files are present in the APK assets and are encrypted using the same AES pattern used elsewhere in the chain.

After decryption, the components are merged to reconstruct the final malicious package. In this sample, this merged payload is attributed to BTMOB RAT.

BTMOB RAT can perform multiple malicious activities, including credential theft via WebView-based injections, keylogging, and data exfiltration. It abuses Android Accessibility Services to gain extensive control over the device, enabling actions such as unlocking the device, simulating user interactions, and granting additional permissions.

Furthermore, it supports real-time remote control via WebSocket-based C2 communication, enabling attackers to monitor the infected device's screen in real time, manage files, record audio, and execute commands.

For the miner path, the third stage decrypts the single asset bilbopseudomelanosis, again using filename-derived AES key material. In this branch, the output is a standalone APK that handles cryptocurrency mining.

Taken together, the final stage design reveals that MiningDropper is better understood as a multi-payload Android delivery framework than a simple miner dropper.

The same loader family can deliver radically different end payloads with only configuration and asset changes, which explains how the campaign can scale across a large number of samples while maintaining a consistent core architecture.

Conclusion

MiningDropper demonstrates a layered, modular Android malware architecture designed to make static analysis difficult while giving Threat Actors flexibility in final payload delivery.

The malware combines a native bootstrapper, memory-only string deobfuscation, filename-derived AES decryption, staged DEX loading, configuration-driven payload delivery, and split APK reconstruction to install either a cryptocurrency miner or a more capable user-defined payload such as BTMOB RAT.

This design allows the threat actor to reuse the same distribution and installation framework across hundreds of samples while adapting the final monetization objective to operational needs.

Our Recommendations

We have listed some essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers follow the best practices given below:

• Install Apps Only from Trusted Sources:
  Download apps exclusively from official platforms, such as the Google Play Store. Avoid third-party app stores or links received via SMS, social media, or email.
• Be Cautious with Permissions and installs:
  Never grant permissions and install an application unless you're certain of an app's legitimacy.
• Watch for Phishing Pages:
  Always verify the URL and avoid suspicious links and websites that ask for sensitive information.
• Enable Multi-Factor Authentication (MFA):
  Use MFA for banking and financial apps to add an extra layer of protection, even if credentials are compromised.
• Report Suspicious Activity:
  If you suspect you've been targeted or infected, report the incident to your bank and local authorities immediately. If necessary, reset your credentials and perform a factory reset.
• Use Mobile Security Solutions:
  Install a mobile security application that includes real-time scanning.
• Keep Your Device Updated:
   Ensure your Android OS and apps are updated regularly. Security patches often address vulnerabilities exploited by malware.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

The post MiningDropper – A Global Modular Android Malware Campaign Operating at Scale appeared first on Cyble.

Executive Summary

CRIL has been actively tracking a surge in PXA Stealer activity deployed in a sophisticated, financially motivated threat campaign attributed with high confidence to a Vietnam-based cybercriminal group. The primary targets in this campaign are job seekers across India, Bangladesh, the Netherlands, Sweden, and the United States.

Threat actors leverage LinkedIn as their primary initial access vector, distributing fraudulent recruitment messages via compromised accounts that impersonate legitimate job opportunities.

What makes this threat particularly dangerous is the potential for propagation: compromising one’s LinkedIn account, especially with many connections (such as recruiters or HR personnel), can lead to an exponentially higher rate of further infection. This new trend requires users to be wary when using any social networking platform, even those for professional use.

The infection ultimately delivers a multi-stage information stealer designed to harvest sensitive data, including browser-stored credentials, cryptocurrency wallet information, two-factor authentication (2FA) tokens, hardware wallet artifacts, and email client credentials.

The attack chain demonstrates significant operational sophistication:

• Adversaries abuse trusted cloud and professional platforms—including LinkedIn, Google Forms, and Dropbox—to evade reputation-based security controls and increase victim trust.
• Execution relies on a legitimate Microsoft 365 binary leveraged for DLL sideloading, while the malicious DLL is artificially inflated to approximately 100 MB to bypass size-based inspection mechanisms.
• The final payload executes entirely in memory, minimizing disk artifacts and complicating forensic detection.

This sophistication makes PXA Stealer a potent threat to job seekers in the targeted countries, and the list of victims may expand in the near future.

At the time of analysis, the campaign remained active and continued to propagate laterally through compromised LinkedIn accounts, leveraging victims’ professional networks to further distribute job-themed phishing lures.

The image below shows the Malware profile summary for PXA Stealer from Cyble’s Vision Threat Intelligence.

The real-world impact of this lateral spread is evidenced by multiple LinkedIn users publicly reporting that their accounts were compromised and used to distribute fraudulent Apex Logistics Group recruitment messages to their professional connections, as shown below.

Key Takeaways

• Attribution: The campaign is attributed with high confidence to PXA Stealer, tied to a Vietnam-based cybercriminal actor. This is further supported by Vietnamese-language strings embedded within malware samples and overlaps with previously documented activity clusters.
• Initial Access Vector: Threat actors initiate compromise through LinkedIn direct messages, impersonating recruiters from a fabricated logistics entity, Apex Logistics Group, using job-themed social engineering lures.
• Payload Delivery Chain: Victims are redirected through a staged delivery workflow that includes a Google Form, followed by a shortened URL pointing to a Dropbox-hosted ZIP archive. The payload exhibited zero antivirus detections on VirusTotal at the time of discovery.
• Execution Mechanism: Malware executes via DLL sideloading using a legitimate, signed Microsoft Office binary (winword.exe), enabling trusted-process execution and reducing behavioral suspicion.
• Defense Evasion: The malicious DLL is artificially inflated to approximately 100 MB to evade size-threshold scanning mechanisms. The final payload executes entirely in memory through Python exec() functionality, leaving minimal disk artifacts during runtime.
• Command-and-Control (C2): The malware dynamically retrieves its C2 infrastructure from an encrypted Telegram channel. The final payload is hosted on an IP address configured to masquerade as Chinese government infrastructure, likely to hinder attribution and evade network reputation controls.
• Objectives: The infostealer’s primary objective is data theft, targeting a broad range of sensitive assets, including:
  • Browser credentials and session data
  • Cryptocurrency wallets and Ledger Live artifacts
  • Two-factor authentication (2FA) and authenticator data
  • Desktop and email client credentials

• Persistence Mechanism: Persistence is established via a scheduled task registered under a name mimicking a legitimate Microsoft Edge update process, blending malicious activity with normal system operations.

Overview

PXA stealer is tied to a Vietnam-linked threat actor who conducted a targeted campaign across multiple countries by impersonating recruiters on LinkedIn and distributing fabricated part-time job opportunities as social engineering lures.

Victims are guided through a staged delivery chain leveraging trusted platforms, including a Google Form, a shortened URL, and a Dropbox-hosted ZIP archive, allowing the malicious payload to evade reputation-based defenses and achieve zero detections on VirusTotal at the time of discovery.

Upon opening the archive, victims unknowingly executed a disguised Microsoft Word binary that initiated a DLL sideloading attack. The sideloaded DLL is artificially inflated to approximately 100 MB, a deliberate evasion technique designed to bypass automated file-scanning and size-threshold inspection mechanisms.

A concealed batch script subsequently deployed the next-stage payload, established persistence via a scheduled task masquerading as a legitimate Microsoft Edge update process. It launched the final infostealer entirely in memory. Execution relied on multiple layers of encoding—including XOR, Base64, bzip2, and zlib—to obscure payload functionality and minimize forensic artifacts on disk.

PXA Stealer: History and Evolution

PXA Stealer is not a new threat. First publicly documented by Cisco Talos in November 2024, it has undergone continuous, rapid evolution. What began as a straightforward Python-based infostealer has matured into a sophisticated, multi-stage operation backed by an organized criminal ecosystem. Understanding this evolution is critical to anticipating the threat actor's next moves.

The name PXA is tied directly to its original developer, Phan Xuan Anh (PXA), a Vietnamese national who commissioned a high school programmer to develop the malware in late 2024. Vietnamese law enforcement subsequently indicted 12 suspects in early 2026, including the student developer, as part of a global operation that had infected over 94,000 computers worldwide.

Comparative TTP Analysis: PXA Stealer Campaigns

The table below cross-references TTPs observed in this campaign against prior PXA Stealer analyses by Cisco Talos (November 2024) and SentinelOne (August 2025). The consistent overlap across delivery, obfuscation, persistence, and exfiltration techniques provides strong technical justification for attributing this activity to the PXA Stealer malware family.

What Should Businesses Expect When Infected with PXA Stealer?

PXA Stealer's immediate impact is severe and rapid. Within minutes of execution, all browser-stored credentials, active session cookies, cryptocurrency wallets, and 2FA tokens are exfiltrated. Attackers can bypass MFA entirely using harvested session cookies, and email account access enables Business Email Compromise before the victim even notices the infection.

Shortly thereafter, the victims' credentials are stolen, and their own LinkedIn profile is turned into a distribution channel for further attacks.

Organizations face regulatory breaches of notification requirements under GDPR or DPDPA, long-term persistent access risks, and lasting reputational damage, particularly for fintech and crypto-facing businesses.

Technical Analysis:

Initial Access — LinkedIn Phishing

The threat actor established initial contact via direct messages on a compromised LinkedIn account, posing as a recruiter affiliated with a logistics sector firm. The lure offered a remote, part-time digital marketing role, a format deliberately calibrated to exploit the professional context LinkedIn provides.

With 1.3 billion active users, LinkedIn is the largest professional networking platform. Users would naturally expect and engage with career-related outreach, particularly job seekers. This significantly lowers their caution threshold when compared to unsolicited emails or social media messages from trusted contacts on other platforms.

Once contact is established, targets are directed to a Google Form hosted at hxxps://forms.gle/JjAtpy26Tcokow2Q7.

Hosting the next stage on Google’s legitimate infrastructure is intentional: most URL filtering solutions and email security gateways do not flag Google domains, allowing the attacker to preserve the job application narrative while bypassing automated defenses entirely.

Payload Delivery — Trusted Platforms as Staging Infrastructure

Within the Google Form, victims were instructed to review a job description via a hyperlink. The link (hxxps://tr.ee/PRtnsf) was a shortened URL that redirected to a Dropbox-hosted ZIP archive named “Position Details and Compensation Policy (2).zip”. The layering of a URL shortener on top of a trusted cloud storage platform made static analysis significantly more difficult. At the same time, the job-themed filename gave victims no reason to hesitate before opening it.

The downloaded archive registered zero detections on VirusTotal at the time of analysis, demonstrating the effectiveness of this multi-platform delivery chain against conventional security tooling.

Archive Contents — Concealment by Design

Once extracted, the archive presented the victim with a single visible file: what appeared to be a legitimate Microsoft Word executable. All remaining components were deliberately hidden within the archive, including:

• A malicious DLL (AppvIsvSubsystems64.dll)
• Supporting runtime files
• A batch script (en.cmd / en.pip)
• A decoy Word document
• A hidden folder named “__” containing next-stage components (Invoice.pdf, Trend.jpg, support.ico, nsedge.exe, update.dll)

DLL Sideloading:

Executing the visible file — Position Details and Compensation Policy.EXE (a renamed winword.exe) — triggered a DLL sideloading attack. The malicious AppvIsvSubsystems64.dll was loaded in place of the legitimate Microsoft Office counterpart of the same name.

What distinguishes this DLL File is its file size. The clean, signed version of this DLL typically ranges between 1 MB and 3 MB. The malicious variant was deliberately inflated to approximately 100 MB. This technique — known as binary padding — is specifically designed to evade automated scanning pipelines and static analysis tools that impose file size thresholds or skip oversized files to conserve processing resources.

Batch Script Execution and Persistence

Despite its inflated size, the malicious DLL had a single task: copy "en.pip" to "en.cmd" and execute it. From there, the batch script extracted a next-stage payload from a password-protected archive disguised as "Invoice.pdf" into %LOCALAPPDATA%\Microsoft\WindowsApps, deleted the archive and extraction utility to reduce forensic traces, and registered a scheduled task for persistence.

The final payload was launched through a Python executable named "nsedge.exe" alongside "update.dll", both placed inside %LOCALAPPDATA%\Microsoft\WindowsApps. The masquerade here operated on two levels: the folder path mimicked a legitimate Microsoft Edge installation directory. At the same time, the filenames were chosen to resemble trusted Edge components, making the entire setup appear as routine system activity to both analysts and automated detection tools. (See Figure 6)

Multi-Layer Encoding

Despite carrying a DLL extension, "update.dll" was in fact a Python script, executed with the parameter "sunset". Its role was to read encrypted content from a file named "support.ico", decode it using a key embedded within the file itself, and execute the resulting deobfuscated Python script directly in memory using Python's exec() method, leaving no additional files on disk for forensic tools to recover.

The XOR-decoded content was not the final layer. Underneath it was Python bytecode that had been Base64-encoded and compressed with both bzip2 and zlib. In simple terms, the attacker wrapped the malicious code in multiple layers, one inside the other, making it harder and more time-consuming for analysts to unpack and understand what the malware was actually doing.

Command and Control — Telegram-Based Dynamic Infrastructure

Once the final payload executed, the malware contacted a Telegram channel (hxxps://t.me/erik22sucbot) to retrieve the address of its command-and-control (C2) server. Rather than hardcoding the C2 address — a static indicator that can be blocked after discovery — the attacker stored it on Telegram in encrypted form. The malware decrypted the address at runtime, allowing the attacker to rotate infrastructure without recompiling or redeploying the payload.

Using the “sunset” parameter, the script constructed a download URL (hxxp://151.243.109.125/support/links/sunset[.]txt) to retrieve the final stage payload. The IP address 151[.]243[.]109[.]125 is configured to redirect to a Chinese government website — an additional layer of masquerading intended to cast doubt on analyst findings and create the false impression that the payload was hosted on legitimate government infrastructure.

The downloaded file "sunset.txt" was not a text file despite its .txt extension. It was, in fact, a Python script, heavily obfuscated to resist analysis.

Python Bytecode analysis

From the memory strings, we observed the following: it tries to steal the following items.

Network traffic analysis reveals that sensitive data is being exfiltrated to the external IP address 15.235.156[.]143 over port 56001. Outbound communication is concealed within TLS-encrypted traffic, effectively masking its contents and evading content-based inspection. This encryption layer suggests a deliberate attempt to obfuscate data exfiltration, making it difficult to detect with standard deep packet inspection techniques.

Conclusion

PXA’s evolution into a mature, multi-layered attack operation is a concerning development, as it exploits trust at every stage of the kill chain, from the professional credibility of LinkedIn to the reputation of Google, Dropbox, and Microsoft Office binaries.

The threat actors behind this campaign demonstrate strong operational security awareness, evidenced by the deliberate use of legitimate platforms to avoid detection, in-memory payload execution that leaves no on-disk artifacts, dynamic C2 infrastructure managed through Telegram, and multi-layer encoding to resist reverse engineering.

The campaign's continued propagation through victim LinkedIn connections creates a compounding distribution effect: each compromised account becomes a new, trusted sender for the job-lure message, extending the campaign's reach without additional infrastructure investment from the threat actor.

Job seekers, HR professionals, and employees actively engaged on LinkedIn represent the highest-risk population. Organizations in India, Bangladesh, the Netherlands, Sweden, and the United States should treat this campaign as an active threat.

How can Cyble help?

Cyble Vision can help detect compromised credentials and endpoints, monitor known threats, and supplement SOC teams with proactive intelligence to help avoid them even before they are targeted.

A competitive CTI solution, such as Vision, helps users stay a step ahead of threats originating from the surface, deep, and dark web through timely intel, low signal-to-noise ratio, and specific support in the event of an incident or compromise.

Recommendations

• Verify Recruiter Identities Independently: Always confirm recruiter profiles and company legitimacy through official websites or direct calls before engaging with any job offer received via LinkedIn DMs.
• Never Open Unsolicited File Attachments: Do not download or execute ZIP archives, EXE files, or documents received through job application links, even if they appear to come from a trusted connection.
• Enable Multi-Factor Authentication (MFA): Enable MFA on LinkedIn, email, and all critical accounts. Prefer hardware security keys over app-based TOTP, as infostealers can harvest authenticator tokens
• Audit Your LinkedIn Active Sessions Regularly: Periodically review active sessions and connected devices in LinkedIn security settings. Immediately revoke any unrecognised sessions.
• Keep Endpoint Security Tools Updated: Ensure EDR and antivirus solutions are active and up to date. Deploy solutions capable of detecting DLL sideloading, anomalous Python execution, and large, oversized DLL files.
• Monitor for Suspicious Scheduled Tasks: Regularly audit scheduled tasks on endpoints. Flag any tasks with names that mimic legitimate system processes, such as Microsoft Edge update services.
• Educate Employees on LinkedIn-Based Social Engineering: Include LinkedIn phishing scenarios in regular security awareness training. Employees should understand that professional platforms are actively exploited as initial access vectors
• Report and Revoke Immediately if Compromised: If your LinkedIn account is suspected to be compromised, immediately revoke all active sessions, reset credentials, notify your connections, and report the incident to LinkedIn and your security team.

MITRE ATT&CK Mapping

The post Professional Networks Under Attack: Vietnam-Linked Actors Deploy PXA Stealer in Global Infostealer Campaign appeared first on Cyble.

Cyble is pleased to announce its partnership with Optiv, integrating Cyble’s AI-powered Digital Risk Protection capabilities into Optiv’s Managed Security Services (MSSP) platform and Advanced Fusion Center (AFC). This partnership gives enterprise security teams deeper visibility into external threats — helping organizations detect and respond to risks before they escalate into incidents.

The Problem Security Teams Are Facing

Cyber threats today rarely originate from within an organization’s network perimeter. Threat actors operate across the open, deep, and dark web — trading stolen credentials, building phishing infrastructure, impersonating brands, and exposing sensitive data, often long before a target is aware.

The most common external threats organizations face include:

• Stolen credentials circulating on underground forums
• Phishing infrastructure targeting employees and customers
• Brand impersonation across domains, social media, and online marketplaces
• Leaked intellectual property and exposed sensitive data
• Threat actor activity signaling planned or active campaigns

Traditional security tools — firewalls, endpoint protection, and SIEM systems — are largely blind to these threats. By the time organizations become aware, the damage is often already underway.

What This Partnership Delivers

Cyble’s platform continuously monitors the open, deep, and dark web, identifying threat indicators relevant to each organization. Integrated into Optiv’s Advanced Fusion Center, these insights are brought directly into the managed security workflows that security teams rely on every day.

This means security teams can now:

• Monitor digital risk exposure across external threat environments
• Identify threats targeting their brands, users, and infrastructure
• Correlate external threat intelligence with internal security telemetry
• Prioritize investigations based on real-world threat activity

Rather than treating external intelligence as a separate data source, this partnership embeds it into day-to-day security operations — giving analysts the context they need, when they need it.

Perspectives from Both Organizations

“External digital risks are becoming an increasingly important consideration for enterprise security teams,” said Kevin Gerber, Vice President, Americas at Cyble. “This partnership with Optiv brings Digital Risk Protection directly into managed security operations, helping organizations gain visibility into threat activity across the open, deep, and dark web.”

“Organizations need broader visibility into external threats that may affect their users, brands, and digital assets,” said Kathryn Hall, SVP, Services at Optiv. “Cyble’s Digital Risk Protection capabilities add valuable context to our security operations, helping teams identify and monitor risks beyond the traditional network perimeter.”

Looking Ahead

As organizations continue expanding their digital presence, the need for visibility beyond the traditional network boundary will only grow. Through this partnership, Cyble and Optiv are working together to help enterprise security teams stay ahead of emerging threats — combining intelligence, automation, and operational expertise to support more proactive and effective security operations.

The post Cyble and Optiv Partner to Bring Digital Risk Protection to Managed Security Operations appeared first on Cyble.

Executive Summary

Cyble Research & Intelligence Labs (CRIL) has identified a widespread, highly active social engineering campaign hosted primarily on edgeone.app infrastructure.

The initial access vectors are diverse — ranging from “ID Scanner,” and “Telegram ID Freezing,” to “Health Fund AI”—to trick users into granting browser-level hardware permissions such as camera and microphone access under the pretext of verification or service recovery.

Upon gaining permissions, the underlying JavaScript workflow attempts to capture live images, video recordings, microphone audio, device information, contact details, and approximate geographic location from affected devices. This data is subsequently transmitted to attacker-controlled infrastructure, enabling operators to obtain Personally Identifiable Information (PII) and contextually sensitive information. 

Further analysis revealed indicators of potential AI-assisted code generation, including structured annotations and emoji-based message formatting embedded within the operational logic. These characteristics reflect a growing trend where threat actors leverage generative AI tools to accelerate the development of phishing frameworks.

The breadth of data collected in this campaign extends beyond traditional credential phishing and raises significant security concerns. Harvested multimedia and device telemetry could be leveraged for identity theft, targeted social engineering, account compromise attempts, or extortion, posing risks to both individuals and organizations. (Figure 1)

Key Takeaways

• Infrastructure: Extensive use of edgeone.app (EdgeOne Pages) for hosting low-cost, scalable, and highly available phishing landing pages.
• Biometric Harvesting: The operation abuses legitimate browser APIs to access cameras, microphones, and device information after user consent.
• C2 Mechanism: Utilization of the Telegram Bot API (api.telegram.org) as a streamlined C2 and data exfiltration channel.
• Diverse Lures: Attackers rotate lures, including "ID Scanner" and "Health Fund AI", to target various demographics and bypass regional security filters.
• The phishing pages impersonate popular platforms and services, including TikTok, Telegram, Instagram, Chrome/Google Drive, and game-themed lures such as Flappy Bird, to increase victim trust.
• Once interaction occurs, the campaign attempts to collect multiple forms of sensitive data, including photographs, video recordings, microphone audio, device information, contact details, and approximate geographic location.

Overview

• Campaign Start: Observed since early 2026
• Primary Objective: Harvesting victim multimedia data and device information
• Primary Infrastructure: edgeone.app (multiple subdomains)
• Impersonated Brands: TikTok, Telegram, Instagram, Chrome/Google Drive, Flappy Bird
• Key Behavior: Browser permission prompts used to capture camera images, record audio/video, enumerate device metadata, retrieve geolocation information, and attempt contact list access through browser APIs.

The campaign operates as a web-based phishing framework that captures photographs directly from victims’ devices. The infrastructure hosts multiple phishing templates that impersonate verification systems or service recovery portals. The goal is to socially engineer users into granting browser permission for camera access.

Unlike traditional credential phishing pages, these pages do not primarily collect typed input. Instead, they rely on browser hardware permissions, requesting access to the device’s camera. Once permission is granted, the page silently captures a frame from the live video stream and exfiltrates it.

The use of Telegram as a data collection mechanism indicates that the operators prioritize low operational complexity and immediate access to stolen data. Since Telegram bots can receive file uploads through simple HTTP requests, attackers can directly integrate the API into client-side scripts.

Business Impact and Potential Abuse

The data collected through this campaign provides attackers with multiple forms of sensitive personal information and contextual intelligence, thereby significantly increasing the effectiveness of follow-on attacks.

One potential abuse scenario involves identity fraud and account recovery manipulation. The campaign captures victim photographs, video recordings, and audio samples that could be used to bypass identity verification workflows used by financial platforms, social media services, or other online services that rely on biometric or video-based verification.

Additionally, the collection of device information, location data, and contact details allows attackers to build detailed victim profiles. This information may be used to perform targeted social engineering attacks, impersonate victims in communication platforms, or craft convincing fraud attempts against their contacts.

Another concerning use case involves extortion and intimidation. Because the campaign captures multimedia data, such as camera images, video recordings, and microphone audio, attackers may pressure victims by threatening to expose the collected material unless a payment is made.

For organizations, the broader business impact includes:

• Increased risk of identity theft and account takeover attempts
• Potential abuse of stolen biometric and multimedia data in fraud schemes
• Targeted phishing or fraud campaigns against employees and customers
• Reputational damage if impersonated brand identities are used in malicious campaigns

The campaign's ability to collect multiple categories of sensitive information from a single interaction significantly amplifies the risk to both individuals and businesses.

Why does this matter?

This campaign marks a significant evolution in phishing operations, shifting from credential theft to harvesting biometric and device-level data. By abusing browser permissions to capture victims' live images, audio, and contextual device information, threat actors can obtain high-quality identity data that is difficult to revoke or replace.

The stolen data can be leveraged to bypass video-KYC and remote identity verification processes, enabling fraudulent account creation, synthetic identity fraud, account takeover, and financial scams across banking, fintech, telecom, and digital service platforms. Additionally, high-resolution facial images and audio samples may be weaponized for AI-driven impersonation and deepfake attacks, increasing the effectiveness of business email compromise and targeted social engineering campaigns.

For organizations, the campaign introduces elevated risks, including financial losses, regulatory non-compliance, AML exposure, reputational damage, and erosion of trust in digital onboarding systems, highlighting the growing need for stronger verification controls and browser-permission abuse detection.

Technical Analysis

The infection chain, as outlined in Figure 2, shows the stages of the attack.

Phishing Page Behaviour

The phishing page contains embedded JavaScript that leverages browser media APIs to access the victim’s device camera after obtaining user permission. Once access is granted, the script initializes a live video stream and processes its frames.

A capture function then renders a frame from the video feed onto an HTML5 canvas using ctx.drawImage(), effectively converting the live camera input into a static image. (see Figure 3)

The canvas content is subsequently encoded into a JPEG blob via canvas.toBlob(), creating a binary image object that can be transmitted through HTTP requests to attacker-controlled infrastructure.

Expanded Data Collection Capabilities

Analysis of the campaign script indicates that the phishing framework performs extensive device fingerprinting and environment enumeration before initiating camera-based verification workflows.

The script collects system metadata using the following browser APIs

• navigator.userAgent
• navigator.platform
• navigator.deviceMemory
• navigator.hardwareConcurrency
• navigator.connection
• navigator.getBattery

This allows the attacker to gather detailed information such as operating system type and version, device model indicators, screen resolution and orientation, browser version, available RAM, CPU core count, network type, battery level, and language settings.

Additionally, the script retrieves the victim’s public IP address using services such as api.ipify.org, then enriches the geolocation using ipapi.co, enabling the collection of country, city, latitude, and longitude data. (see Figure 4)

This telemetry is aggregated and transmitted to the attacker via the Telegram Bot API, providing operators with contextual information about the victim’s device and location prior to further data harvesting.

Beyond system profiling, the script implements multiple routines for collecting multimedia and personal data via browser permission prompts. The campaign captures several still images from both the front-facing and rear-facing cameras, records short video clips using the MediaRecorder API, and performs microphone recordings.

These recordings are packaged as JPEG, WebM video, or WebM audio files and exfiltrated via Telegram API methods such as sendPhoto, sendVideo, and sendAudio. (see Figure 5)

Additionally, the script attempts to access the victim’s contact list through the Contacts Picker API (navigator.contacts.select), requesting attributes such as contact names, phone numbers, and email addresses. If granted, the selected contacts are formatted into structured messages and transmitted to the attacker. (see Figure 6)

User Interface Manipulation

The phishing pages include interface elements designed to convince victims that the image capture process is legitimate.

For example, status messages displayed during execution may include:

• “Capturing photo”
• “Sending to server”
• “Photo sent successfully”

These messages simulate the behavior of legitimate identity verification platforms and help maintain the illusion that the process is part of a valid verification workflow.

Once the image is successfully transmitted, the script terminates the camera stream and resets the interface after a short delay.

Infrastructure Observations

Analysis of the campaign revealed that the phishing pages are primarily hosted under the edgeone.app domain. Multiple variations of phishing pages were observed using similar JavaScript logic and workflow patterns.

The consistent use of the same infrastructure suggests that attackers may be operating a templated phishing kit capable of generating different themed pages while maintaining the same underlying data-collection logic.

Because the image exfiltration occurs through Telegram infrastructure, the phishing pages themselves do not require backend servers, simplifying deployment and enabling rapid rotation of phishing URLs.

Indicators of Potential Generative AI Use in Script Development

During analysis of the phishing framework, researchers observed the use of emojis embedded directly within the script’s message formatting logic. These emojis appear in structured status messages that are assembled and transmitted during the data collection workflow. The use of decorative Unicode symbols within operational code is uncommon in manually written malicious scripts but has increasingly been observed in campaigns that use generative AI tools during development. (see Figure 7)

Targeted Countries and Impersonated Brands

During infrastructure monitoring and phishing URL telemetry analysis, the campaign's infrastructure appears to be globally accessible. Analysis of the phishing templates used in this campaign reveals that the operators impersonate a range of widely recognized consumer platforms and applications. Observed brand impersonation themes include:

Conclusion

Our deep-dive analysis revealed a sophisticated phishing campaign that extends beyond traditional credential theft by harvesting multimedia and device-level data through browser permission abuse.

The campaign attempts to collect photographs, video recordings, audio recordings from microphones, contact details, device information, and approximate location data directly from victims. This operation demonstrates a growing trend where attackers leverage client-side scripting and legitimate web services to collect and transmit sensitive data without relying on traditional command-and-control infrastructure.

Indicators in the script also suggest AI-assisted development, reflecting how threat actors may be using generative AI tools to accelerate the creation of phishing frameworks.

The breadth of information collected increases the potential for identity theft, targeted social engineering, account compromise attempts, and extortion. Organizations should remain cautious about phishing pages that request hardware permissions, such as camera, microphone, or contact access, particularly when originating from untrusted domains.

Cyble’s Threat Intelligence Platforms continuously monitor emerging threats, attacker infrastructure, and malware activity across the dark web, deep web, and open sources. This proactive intelligence empowers organizations with early detection, brand and domain protection, infrastructure mapping, and attribution insights. Altogether, these capabilities provide a critical head start in mitigating and responding to evolving cyber threats.

Our Recommendations

We have listed some essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers follow the best practices given below:

• Restrict camera permissions for unknown websites
• Monitor outbound traffic to api.telegram.org when originating from browser sessions
• Deploy browser security extensions capable of identifying phishing pages
• Implement domain monitoring for suspicious infrastructure hosting phishing kits

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

The post AI-Assisted Phishing Campaign Exploits Browser Permissions to Capture Victim Data appeared first on Cyble.

Executive Summary

In early February 2026, Cyble Research & Intelligence Labs (CRIL) identified a new Linux malware strain delivered through a loader structure previously associated with ShadowHS activity. While ShadowHS samples deployed post-exploitation tooling, the newly observed payload is operationally different. We have named it ClipXDaemon, an autonomous cryptocurrency clipboard hijacker targeting Linux X11 environments.

At the time of this writing, there is no evidence that ShadowHS and ClipXDaemon originate from the same malware author or campaign. The structural overlap in the loader stems from the use of bincrypter, an open-source shell-script encryption framework hosted on GitHub. Both campaigns appear to have leveraged this public tool independently.

ClipXDaemon differs fundamentally from traditional Linux malware. It contains no command-and-control (C2) logic, performs no beaconing, and requires no remote tasking. Instead, it monetizes victims directly by hijacking cryptocurrency wallet addresses copied in X11 sessions and replacing them in real time with attacker-controlled addresses.

It employs stealth techniques, including process masquerading and Wayland session avoidance, in which the attack chain operates entirely locally, without network communication, infrastructure, or operator interaction after execution, making detection and response significantly more challenging.

The campaign is particularly relevant now, given the growing adoption of Linux among developers, traders, and crypto users, many of whom rely on X11-based GUI environments. This represents an evolution in Linux financial malware: autonomous, C2-less, stealthy, and user-focused.

Key Takeaways

• The previously observed ShadowHS-style loader is reused to deploy a different payload — a Linux X11 cryptocurrency clipboard hijacker.
• The campaign uses a three-stage infection chain:
  • Encrypted loader
  • Memory-resident dropper
  • On-disk ELF clipboard hijacker

• The Dropper is entirely staged in memory via a bincrypter-generated loader that uses AES-256-CBC decryption and gzip decompression.
• The malware avoids modern Wayland sessions and operates exclusively in X11 environments, demonstrating intentional defense evasion.
• Implements stealth techniques including double-fork daemonization, /proc masquerading, and PR_SET_NAME process renaming.
• The payload is a fully autonomous daemon that monitors the clipboard every 200ms and replaces cryptocurrency addresses with attacker-controlled wallets, targeting Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON wallets.
• Encrypted regex is ChaCha20-based, with embedded static keys and 64-byte block decryption, ensuring payload secrecy.
• Payload is autonomous with no communication with external C2 (functions entirely locally), relying only on clipboard replacement for monetization.
• Persistence is achieved via ~/.profile modification.
• The campaign illustrates increasing operational reliance on open-source tooling in modern malware development.

Background & Threat Landscape

The ShadowHS malware family, documented in January 2026, used encrypted shell loaders to execute an in-memory, weaponized hackshell payload targeting server environments and was associated with post-exploitation tooling.

ClipXDaemon reflects a strategic pivot. While the staging wrapper remains structurally similar, the delivered payload is entirely different: an autonomous cryptocurrency clipboard hijacker focused on Linux users.

Both ShadowHS samples and ClipXDaemon leverage the publicly available bincrypter framework to encrypt and wrap shell payloads. However, the reuse of a commodity open-source obfuscation tool does not constitute evidence of actor overlap. This indicates a broader trend where attackers are increasingly weaponizing legitimate open-source utilities to reduce development overhead.

This case illustrates several macro-level shifts in the threat landscape. Linux malware is becoming more specialized, targeting financial workflows directly rather than deploying general-purpose remote access tools.

Operational exposure is minimized by eliminating network communication entirely. Modular reuse of publicly available encryption wrappers allows rapid payload swapping without rebuilding infrastructure.

ClipXDaemon therefore represents both a tactical evolution in Linux clipboard hijacking and a strategic example of open-source tool weaponization in financially motivated campaigns.

Technical Analysis

Bincrypt Obfuscated Loader

The initial loader used in this campaign matches the structural output generated by bincrypter. The wrapper script stores an encrypted payload blob inline, base64-decodes it at runtime, strips non-printable characters, derives AES-256-CBC decryption parameters, decompresses via gzip, and executes the decrypted stage directly from memory. (See Figure 1)

The decryption stub, variable naming conventions (short uppercase variables such as P and S), OpenSSL invocation pattern, and execution via /proc/self/fd align with bincrypter-generated output. When replicated in a controlled environment using bincrypter, the structural characteristics match closely. (See Figure 2)

However, the presence of bincrypter does not imply shared authorship between ShadowHS and ClipXDaemon. Bincrypter is a public, open-source tool. Its reuse reflects convenience and operational efficiency rather than coordinated campaign lineage.

The same loader logic is retained across versions. Differences are confined to the embedded base64 password (P), the salt (S), the encrypted configuration blob (C), the payload offset (R), and the derived AES key.

This indicates that the loader functions as a reusable staging framework, with payloads swapped at build time rather than behavioral modification.

In-Memory Dropper Execution

Once the loader decrypts and decompresses an intermediate dropper, it does not write the script to disk. Instead, it executes it directly through a file descriptor under /proc/self/fd. This avoids static inspection of the decrypted stage and minimizes disk artifacts.

Upon execution, the decrypted dropper writes a message to STDOUT for purely cosmetic purposes, thereby disguising itself as legitimate software. (See Figure 3)\

Subsequently, it contains an embedded base64-encoded ELF binary, which is decoded & written to a file with a randomized name (between eight and nineteen characters, with a numeric suffix). (See Figure 4)

The ELF binary is dropped at ~/.local/bin/<random_name>. The path selection is deliberate, considering that it resides in userland, requires no elevated privileges, and allows blending with legitimate user-installed binaries. (See Figure 5)

Persistence

After writing the file, the dropper marks it executable, launches it in the background, and appends an execution line to ~/.profile. (See Figure 6)

By modifying ~/.profile, the implant ensures it is executed during future interactive login sessions. This is a user-level persistence mechanism that does not require cron jobs, systemd services, or root access. This indicates that the targeting profile is more consistent with Linux environments than with servers.

Payload Architecture: X11-Dependent Design

The deployed ELF binary is a 64-bit Linux executable dynamically linked against X11 libraries. At the time of writing, it goes undetected by security vendors on VirusTotal. (See Figure 7)

Execution begins with a simple environmental gate: the program checks whether the WAYLAND_DISPLAY environment variable is present.

• If Wayland is detected, execution terminates immediately.
• If Wayland is absent, execution proceeds.

This is done because Wayland’s design prevents global clipboard scraping as X11 allows. By explicitly disabling itself in Wayland sessions, it avoids runtime failure and reduces noise. This indicates that the implant is designed specifically for X11. This environmental awareness indicates familiarity with modern Linux architecture. (See Figure 8)

Daemonization and Process Masquerading

After passing the environment check, the payload performs a double-fork daemonization sequence. It detaches from the controlling terminal, creates a new session, forks again, closes standard file descriptors, changes the working directory to root, and resets the file mode mask. (See Figure 9)

Immediately afterward, it calls prctl(PR_SET_NAME, ...), altering its process name to resemble a kernel worker thread — specifically mimicking kworker/0:2-events. It also modifies argv[0] to reinforce this disguise. (See Figure 10)

This technique is designed to reduce suspicion during casual inspection with tools such as ps or top, as kernel worker names are familiar to Linux administrators and are often ignored.

This technique is not intended to defeat forensic examination; rather, it aims at camouflage rather than perfect stealth.

Clipboard Monitoring Loop

Once daemonized, the implant connects to the X server using standard X11 APIs. If a display connection cannot be established, execution halts. If successful, the program enters a continuous polling loop that iterates every 200 milliseconds, retrieving the contents of the CLIPBOARD selection. (See Figure 11)

Clipboard retrieval is implemented using the native X11 selection protocol rather than a shortcut API. The malware resolves the "CLIPBOARD" and "UTF8_STRING" atoms, creates a hidden 1x1 window, and calls XConvertSelection to request clipboard data in UTF-8 format. It then blocks on SelectionNotify events via XNextEvent until the clipboard owner responds.

Once delivered, the data is extracted with XGetWindowProperty, duplicated into process memory, and the temporary window is destroyed. This ensures clean, synchronous acquisition of human-readable clipboard text without visible UI artifacts. (See Figure 12)

The retrieved text is evaluated against a set of regular expressions corresponding to cryptocurrency wallet formats. If a match is detected, the malware transitions from passive monitoring to active hijacking. It claims clipboard ownership using XSetSelectionOwner, again through a hidden window, and waits for SelectionRequest events.

When a paste operation occurs, the implant responds by supplying the attacker-controlled wallet address via XChangeProperty and XSendEvent, gracefully completing the X11 selection handshake. (See Figure 13)

The 200ms polling interval balances responsiveness and resource invisibility. Replacement occurs fast enough to precede typical paste actions while maintaining low CPU usage. The implant does not intercept keystrokes or monitor network traffic; it simply abuses X11’s trust model — reading clipboard contents, matching wallet patterns, and serving malicious replacements at paste time.

Configuration Protection Using ChaCha20

Wallet regex patterns and replacement addresses are not stored in plaintext. They are encrypted in binary using a ChaCha20 stream cipher with a static 256-bit key and a counter. This avoids revealing configuration buffers during static analysis.

At runtime, a static 256-bit key and counter are used to decrypt configuration buffers in memory. Only after decryption are the regular expressions compiled and replacement wallet addresses stored in memory. (See Figure 14)

This prevents trivial extraction using static string analysis but does not protect communications, as no command-and-control channel exists. The cryptographic implementation is functional rather than advanced. It is sufficient to defeat naive inspection but offers limited resistance to dynamic analysis.

Cryptocurrency Targeting

Dynamic instrumentation revealed that the payload matches multiple cryptocurrency wallet formats. Below is an example showing a Monero address match (See Figure 15)

Below are the regex being matched (extracted post-decryption) :

Ethereum:     "^0x[0-9a-fA-F]{40}$"
Monero:          "^[4][0-9AB][1-9A-HJ-NP-Za-km-z]{93}$"
Bitcoin:         "^(bc1|[13])[a-km-zA-HJ-NP-Z1-9]{25,34}$"
Dogecoin:      "^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$"
TON:             "^(EQ|UQ)[A-Za-z0-9_-]{46}$"
Litecoin:      "^([LM3]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}||ltc1[a-z0-9]{39,59})$"
Ripple:     "^r[1-9A-HJ-NP-Za-km-z]{25,34}$"
Tron:            "^T[A-Za-z1-9]{33}$"

The implant operates entirely offline, with encrypted replacement addresses hardcoded and static. Upon detection, the clipboard is overwritten with attacker wallet addresses embedded in the binary (in encrypted form). (See Figure 16)

Observed replacement wallets include:

Additional regex patterns indicate monitoring of TON and Ripple wallet formats, although replacement addresses were not observed for those assets.

Absence of Command-and-Control Infrastructure

No network communication was observed during analysis. The binary does not initiate DNS queries, HTTP requests, or socket connections and carries no embedded domains or IP addresses.

This C2-less architecture fundamentally alters the traditional malware kill chain. There is no beaconing stage, no tasking loop, no data exfiltration channel, and no infrastructure to dismantle. Monetization occurs directly at the endpoint when a victim pastes a manipulated wallet address and executes a cryptocurrency transaction.

This model reduces the attacker's operational risk. Since there are no servers to seize, no traffic to sinkhole, and no indicators derived from network telemetry, the detection strategy must rely on host-based behavioral analysis rather than network security controls.

The campaign illustrates a growing trend: financially motivated malware that eliminates the need for infrastructure. Combined with the reuse of publicly available tools such as bincrypter for payload staging, this approach lowers development costs, accelerates deployment, and complicates attribution.

ClipXDaemon is therefore notable not only for its technical design but for what it represents — the increasing weaponization of open-source tooling and the emergence of autonomous, infrastructure-less financial malware targeting Linux users.

Conclusion

The analysis of ClipXDaemon reflects a meaningful shift in Linux malware tradecraft — not in the sophistication of exploitation, but in operational design. The threat eliminates the need for command-and-control infrastructure entirely, collapsing the traditional kill chain into a localized, self-contained monetization loop.

There are no external beacons, tasking servers, or data exfiltration channels. Revenue generation depends solely on clipboard interception and user transaction behavior.

While ClipXDaemon reuses the same loader framework previously observed in ShadowHS reporting, there is no evidence of convergence in attribution. The shared component – bincrypter- is an openly available obfuscation framework.

Its reuse highlights a broader trend in the threat landscape; adversaries increasingly operationalize legitimate open-source tooling to accelerate development cycles and standardize staging mechanisms. This modular reuse model lowers barriers to entry while complicating campaign clustering and attribution analysis.

ClipXDaemon’s strength lies in precision targeting, environmental awareness, and architectural minimalism. As Linux adoption grows within cryptocurrency and developer communities, financially motivated userland implants such as this are likely to increase in frequency.

Cyble's Threat Intelligence Platforms continuously monitor emerging threats, attacker infrastructure, and malware activity across the dark web, deep web, and open sources. This proactive intelligence empowers organizations with early detection, brand and domain protection, infrastructure mapping, and attribution insights. Altogether, these capabilities provide a critical head start in mitigating and responding to evolving cyber threats.

Our Recommendations

We have listed some essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers follow the best practices given below:

From a detection standpoint, this architectural choice significantly reduces conventional visibility. Network-based detections, domain-reputation feeds, and infrastructure takedown strategies are ineffective against implants that never communicate externally. Instead, detection must pivot toward behavioral telemetry within the endpoint. Given the absence of network indicators, defensive strategies must prioritize endpoint visibility and behavioral controls.

Harden Linux Environments

• Where operationally feasible, transition from X11 (permissive model) to Wayland-based sessions. Wayland’s security model restricts global clipboard scraping, thereby reducing this attack surface.
• Restrict execution from user-writable directories such as ~/.local/bin/ where possible through application control policies.

Monitor Userland Persistence

• Audit modifications to ~/.profile, ~/.bashrc, and other user-level autostart mechanisms.
• Establish baselines for legitimate binaries within ~/.local/bin/ and alert on newly created executables.

Detect Process Masquerading

• Identify processes with kernel-thread naming conventions (e.g., kworker/*) running under non-root user contexts.
• Correlate prctl(PR_SET_NAME) modifications with suspicious execution ancestry.

Instrument X11 API Abuse

• Monitor for abnormal or repetitive use of:
  • XConvertSelection
  • XSetSelectionOwner
  • XGetWindowProperty

• High-frequency clipboard polling (e.g., ~200ms intervals) originating from background daemons should be investigated.

Implement Behavioral EDR Controls

• Alert on execution of ELF binaries dropped from interpreted shell scripts via /proc/self/fd.
• Detect double-fork daemonization sequences initiated from user shell contexts.
• Flag base64-decoded ELF writes followed by immediate execution.

User Awareness Controls

• Encourage manual verification of cryptocurrency addresses before transaction confirmation.
• Where possible, utilize hardware wallet confirmation mechanisms that display recipient addresses independently of the host system.

Organizations operating Linux environments in cryptocurrency-sensitive roles should consider clipboard manipulation threats as part of their baseline threat model.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

The post ClipXDaemon: Autonomous X11 Clipboard Hijacker Delivered via Bincrypter-Based Loader appeared first on Cyble.

Executive Summary

SURXRAT is an actively developed Android Remote Access Trojan (RAT) commercially distributed through a Telegram-based malware-as-a-service (MaaS) ecosystem under the SURXRAT V5 branding.

The malware is marketed using structured reseller and partner licensing tiers, allowing affiliates to generate and distribute customized builds while the operator maintains centralized infrastructure and operational control.

This distribution model reflects the increasing professionalization of the Android threat landscape, where malware developers focus on scalability and monetization through affiliate-driven campaigns.

Technical analysis shows that SURXRAT operates as a full-featured surveillance and device-control platform capable of extensive data exfiltration, real-time remote command execution, and ransomware-style device locking.

The malware abuses accessibility permissions for persistent control and communicates with a Firebase-based command-and-control infrastructure to manage infected devices. Code similarities suggest that it evolved from the ArsinkRAT family.

We have identified the latest samples that conditionally download a large LLM module, indicating experimentation with AI-assisted capabilities, device performance manipulation, and alternative monetization strategies alongside traditional surveillance and extortion activities.

While it may not always be possible to avoid these threats entirely, prompt action can help reduce the impact of compromise. Threat intelligence tools such as Vision provide users with a real-time view of their digital threat landscape, alerting them to any compromise and enabling them to take corrective action.

Key Takeaways

• SURXRAT is sold openly via Telegram, with reseller and partner licensing tiers, enabling scalable distribution through affiliate operators rather than centralized campaigns.
• Source code references and functional overlap indicate SURXRAT likely evolved from ArsinkRAT, highlighting continued reuse and rapid enhancement of Android RAT frameworks.
• The malware collects sensitive data, including SMS messages, contacts, call logs, device information, location data, and browser activity, enabling credential theft and financial fraud operations.
• Use of Firebase Realtime Database infrastructure allows attackers to blend malicious communications with legitimate cloud traffic, improving reliability and complicating detection.
• SURXRAT conditionally downloads a large LLM module from external repositories, suggesting experimentation with AI-driven functionality, device performance manipulation, or evasion techniques.
• The integrated ransomware-style screen locker enables attackers to deny device access and demand payment, allowing flexible monetization through surveillance, fraud, or extortion.

Overview

Cyble Research and Intelligence Labs (CRIL) identified a new variant of SURXRAT, an actively developed Android Remote Access Trojan (RAT) being openly commercialized through a dedicated Telegram-based distribution ecosystem. Unlike opportunistic commodity malware, SURXRAT is positioned as a subscription-style cybercrime product, indicating an increasing level of professionalization in the Android malware-as-a-service (MaaS) landscape.

The Indonesian threat actor (TA) operates a Telegram channel through which the malware is marketed, regularly updated, and distributed to resellers and partners. The channel was created in late 2024, suggesting that active malware development likely began in early 2025. At the time of analysis, we identified more than 180 related samples, indicating continuous development activity and demonstrating that the threat actor is actively maintaining and evolving the malware.

The structured pricing tiers, operational announcements, and feature updates demonstrate a mature commercialization model similar to underground SaaS platforms, suggesting the operator is targeting aspiring cybercriminals rather than conducting attacks directly.

SURXRAT is marketed under a structured licensing scheme branded as SURXRAT V5, indicating active development and ongoing version iteration by the operator. The threat actor offers two primary purchase tiers within a “Ready Plan” model designed to attract both individual operators and larger resellers.

The Reseller Plan, advertised at a one-time payment of 200k, provides permanent access, allows buyers to generate up to three malware builds per day, includes free server upgrades, and permits users to create and sell SURXRAT builds while adhering to the operator’s predefined market pricing.

The Partner Plan, priced at 500k as a permanent license, expands these capabilities by increasing the daily build limit to ten accounts, maintaining free server upgrades, and granting buyers the ability to establish their own reseller networks, effectively enabling further distribution.

Both tiers emphasize a one-time payment structure (“anti pt pt”), suggesting no recurring subscription fees. This tiered commercialization approach demonstrates the operator's deliberate attempt to scale malware adoption through affiliate-style distribution, decentralizing infection operations while retaining centralized control over infrastructure and ecosystem governance.

The threat actor periodically posts operational statistics to reinforce legitimacy and attract buyers. One such announcement revealed:

• Bot Status: Active
• Total Users: 1,318 registered accounts within the system
• Operational confirmation timestamp: January 2026

While these figures cannot be independently verified, public disclosure of user metrics is a common underground marketing tactic intended to establish credibility and demonstrate adoption among cybercriminal customers. If accurate, the numbers suggest a growing ecosystem of operators leveraging SURXRAT for Android surveillance and financial fraud operations.

SURXRAT V5 provides a comprehensive surveillance and remote-control feature set consistent with modern Android RATs. The functionality indicates a strong emphasis on data harvesting, device monitoring, and full remote manipulation.

Data Collection and Surveillance Features

The malware enables extensive extraction of sensitive user information, including:

• SMS monitoring
• Contact list and call logs
• System information and installed applications
• Gmail account data
• Device location tracking
• Network and connectivity information
• Notification interception
• Clipboard monitoring
• Web browsing history
• Cellular tower intelligence
• WiFi scanning and connection history
• Full file manager access

This level of visibility allows attackers to perform credential harvesting, OTP interception, profiling, and reconnaissance for secondary fraud operations.

Remote Device Control Capabilities

SURXRAT extends beyond passive surveillance by enabling attackers to manipulate compromised devices actively:

• Remote device unlocking
• Triggering phone calls
• Wallpaper modification via remote URL
• Remote audio playback
• Network lag manipulation
• Push notification delivery
• Forced website opening
• Flashlight activation
• Device vibration control
• On-screen text overlays
• Device locking using attacker-defined PIN
• Complete storage wipe functionality

During analysis of the SURXRAT sample, references to ArsinkRAT were found in the source code, suggesting a developmental relationship between the two malware families. In January 2026, Zimperium reported an increase in activity associated with ArsinkRAT campaigns targeting Android devices.

A comparative analysis indicates notable functional and structural similarities between SURXRAT and ArsinkRAT, suggesting that the threat actor likely leveraged the ArsinkRAT source code. Using this foundation, an enhanced variant incorporating additional capabilities and updated features was subsequently developed.

This evolution highlights how existing Android RAT frameworks continue to be repurposed and expanded by threat actors, accelerating malware development cycles and enabling rapid introduction of new surveillance and control functionalities.

During our analysis of the latest SURXRAT variant, we identified a deliberate mechanism to manipulate network lag. The malware initiates the download of a large LLM module (>23GB) hosted on Hugging Face. This approach is highly atypical for a mobile-based device.

Notably, this download is conditionally triggered when specific gaming applications are active on the victim’s device, namely Free Fire MAX x JUJUTSU KAISEN (com.dts.freefiremax) and Free Fire x JUJUTSU KAISEN (com.dts.freefireth), or when the malware receives alternative target package names dynamically from the threat actor–controlled server.

This indicates that the download behavior is remotely configurable, allowing operators to initiate the module retrieval based on applications specified through backend commands.

While downloading a model of this size on a mobile device may initially appear impractical, the observed behavior indicates intentional implementation rather than a misconfiguration. The LLM module appears to be under active development and may be leveraged to:

• Deliberately introduce device or network latency during gameplay, potentially supporting paid cheating or disruption services
  mask malicious background activity by degrading overall device performance, leading users to attribute abnormal behavior to system issues rather than malware
  enable future AI-driven capabilities, such as automated interactions or adaptive social engineering techniques

The selective and conditional deployment of this module suggests that the threat actor is actively experimenting with AI-based components to enhance monetization strategies, improve evasion techniques, and expand operational capabilities.

Technical Analysis

Upon execution, the malware prompts the victim to grant multiple high-risk permissions, including access to location services, contacts, SMS messages, and device storage.

Following initial permission approval, the malware displays additional prompts guiding the user to enable Accessibility Services. This commonly abused Android feature allows applications to monitor screen content and perform automated actions. The abuse of accessibility permissions significantly increases attacker control, enabling surveillance and facilitating further malicious operations without continuous user interaction.

After acquiring the required permissions, SURXRAT establishes communication with a backend infrastructure hosted on a Firebase Realtime Database:

hxxps://xrat-sisuriya-default-rtdb.firebaseio[.]com

The malware connects using a database reference labeled “arsinkRAT,” further reinforcing the developmental linkage between SURXRAT and the previously observed ArsinkRAT malware family.

Once connectivity is established, the malware performs device registration by generating a random UUID, which serves as a unique identifier for tracking infected devices. Following registration, SURXRAT immediately begins exfiltrating sensitive information to the Firebase backend.

The malware collects and transmits a wide range of victim data, enabling comprehensive device profiling. Exfiltrated information includes:

• Contact lists
• SMS messages
• Call logs
• Device brand and model
• Android OS version
• Battery level and status
• SIM card details
• Network information
• Public IP address

This dataset allows attackers to uniquely identify victims, monitor communications, and prepare follow-on fraud or surveillance activities such as OTP interception and account takeover.

After successful device registration, SURXRAT launches a persistent background service that maintains continuous communication with the Firebase command-and-control (C&C) infrastructure and receives commands. The malware initializes multiple internal manager classes that handle surveillance, device control, and data collection.

The infected device periodically sends status updates to the backend while simultaneously polling for incoming commands issued by the operator. This near real-time synchronization enables attackers to execute actions on compromised devices remotely with minimal delay.

Analysis of command handlers revealed several instructions received from the Firebase backend that allow attackers to perform surveillance and active device manipulation:

The figure below shows the admin panel image shared on the threat actor’s Telegram account, highlighting the various actions and controls available through SURXRAT.

Screen Locker Activity

The SURXRAT sample also contains a ransomware-style screen locker module that allows a remote attacker to seize control of the victim’s device and temporarily deny access to it. When activated, the malware forces the device to display a persistent full-screen lock message that the user cannot easily dismiss. The attacker can remotely customize both the displayed message and the unlock PIN, enabling them to demand a ransom payment directly from the victim.

The malware continuously reports user interactions back to the attacker’s server. Each incorrect PIN entry is transmitted to the backend, allowing the operator to monitor victim behavior and response attempts in real time. The lock screen can also be remotely removed by the attacker, giving them complete control over when the device becomes usable again. Overall, this functionality appears intended to coerce victims through disruption and intimidation, ultimately facilitating ransom-based monetization.

The integration of ransomware-style locking into a surveillance RAT indicates hybrid monetization, allowing operators to switch between espionage, fraud, and direct extortion based on the value of the victim.

Conclusion

SURXRAT represents a notable evolution in Android malware, combining MaaS-style commercialization, cloud-based command infrastructure, and modular capabilities into a single adaptable threat platform. The malware’s extensive surveillance features, real-time remote control functions, and ransomware-style device locking demonstrate a shift toward multi-functional mobile threats designed for flexible monetization.

The observed experimentation with large AI model integration further indicates that threat actors are actively exploring emerging technologies to enhance operational effectiveness and evade detection. As Android malware ecosystems continue to mature, threats like SURXRAT highlight the increasing accessibility of advanced mobile attack capabilities to a broader cybercriminal audience, reinforcing the need for improved mobile threat visibility, behavioral detection, and user awareness.

Prevention is ideal, but it isn’t always an option. Threat Intelligence platforms such as Cyble Vision provide users with insight into their digital risk profile and can notify them of any breaches or unauthorized access, enabling them to take immediate corrective action.

Our Recommendations

We have listed some essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers follow the best practices given below:

• Install Apps Only from Trusted Sources:
  Download apps exclusively from official platforms, such as the Google Play Store. Avoid third-party app stores or links received via SMS, social media, or email.
• Be Cautious with Permissions and Installs:
  Never grant permissions and install an application unless you're certain of an app's legitimacy.
• Watch for Phishing Pages:
  Always verify the URL and avoid suspicious links and websites that ask for sensitive information.
• Enable Multi-Factor Authentication (MFA):
  Use MFA for banking and financial apps to add an extra layer of protection, even if credentials are compromised.
• Report Suspicious Activity:
  If you suspect you've been targeted or infected, report the incident to your bank and local authorities immediately. If necessary, reset your credentials and perform a factory reset.
• Use Mobile Security Solutions:
  Install a mobile security application that includes real-time scanning.
• Keep Your Device Updated:
   Ensure your Android OS and apps are updated regularly. Security patches often address vulnerabilities exploited by malware.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

The post SURXRAT: From ArsinkRAT roots to LLM Module Downloads Signaling Capability Expansion appeared first on Cyble.

Executive Summary

Cyble Research and Intelligence Labs (CRIL) observed large-scale, systematic exposure of ChatGPT API keys across the public internet. Over 5,000 publicly accessible GitHub repositories and approximately 3,000 live production websites were found leaking API keys through hardcoded source code and client-side JavaScript.

GitHub has emerged as a key discovery surface, with API keys frequently committed directly into source files or stored in configuration and .env files. The risk is further amplified by public-facing websites that embed active keys in front-end assets, leading to persistent, long-term exposure in production environments.

CRIL’s investigation further revealed that several exposed API keys were referenced in discussions mentioning the Cyble Vision platform. The exposure of these credentials significantly lowers the barrier for threat actors, enabling faster downstream abuse and facilitating broader criminal exploitation.

These findings underscore a critical security gap in the AI adoption lifecycle. AI credentials must be treated as production secrets and protected with the same rigor as cloud and identity credentials to prevent ongoing financial, operational, and reputational risk.

Key Takeaways

• GitHub is a primary vector for the discovery of exposed ChatGPT API keys.
• Public websites and repositories form a continuous exposure loop for AI secrets.
• Attackers can use automated scanners and GitHub search operators to harvest keys at scale.
• Exposed AI keys are monetized through inference abuse, resale, and downstream criminal activity.
• Most organizations lack monitoring for AI credential misuse.

AI API keys are production secrets, not developer conveniences. Treating them casually is creating a new class of silent, high-impact breaches.

Richard Sands, CISO, Cyble

Overview, Analysis, and Insights

“The AI Era Has Arrived — Security Discipline Has Not”

We are firmly in the AI era. From chatbots and copilots to recommendation engines and automated workflows, artificial intelligence is no longer experimental. It is production-grade infrastructure with end-to-end workflows and pipelines. Modern websites and applications increasingly rely on large language models (LLMs), token-based APIs, and real-time inference to deliver capabilities that were unthinkable just a few years ago.

This rapid adoption has also given rise to a development culture often referred to as “vibe coding.” Developers, startups, and even enterprises are prioritizing speed, experimentation, and feature delivery over foundational security practices. While this approach accelerates innovation, it also introduces systemic weaknesses that attackers are quick to exploit.

One of the most prevalent and most dangerous of these weaknesses is the widespread exposure of hardcoded AI API keys across both source code repositories and production websites.

A rapidly expanding digital risk surface is likely to increase the likelihood of compromise; a preventive strategy is the best approach to avoid it. Cyble Vision provides users with insight into exposures across the surface, deep, and dark web, generating real-time alerts for them to view and take action.

SOC teams will be able to leverage this data to remediate compromised credentials and their associated endpoints. With Threat Actors potentially weaponizing these credentials to carry out malicious activities (which will then be attributed to the affected user(s)), proactive intelligence is paramount to keeping one’s digital risk surface secure.

“Tokens are the new passwords — they are being mishandled.”

AI platforms use token-based authentication. API keys act as high-value secrets that grant access to inference capabilities, billing accounts, usage quotas, and, in some cases, sensitive prompts or application behavior. From a security standpoint, these keys are equivalent to privileged credentials.

Despite this, ChatGPT API keys are frequently embedded directly in JavaScript files, front-end frameworks, static assets, and configuration files accessible to end users. In many cases, keys are visible through browser developer tools, minified bundles, or publicly indexed source code. An example of the keys hardcoded in popular reputable websites is shown below (see Figure 1)

This reflects a fundamental misunderstanding: API keys are being treated as configuration values rather than as secrets. In the AI era, that assumption is dangerously outdated. In some cases, this happens unintentionally, while in others, it’s a deliberate trade-off that prioritizes speed and convenience over security.

When API keys are exposed publicly, attackers do not need to compromise infrastructure or exploit vulnerabilities. They simply collect and reuse what is already available.

CRIL has identified multiple publicly accessible websites and GitHub Repositories containing hardcoded ChatGPT API keys embedded directly within client-side code. These keys are exposed to any user who inspects network requests or application source files.

A commonly observed pattern resembles the following:

```javascript
const OPENAI_API_KEY = "sk-proj-XXXXXXXXXXXXXXXXXXXXXXXX";
```

```javascript
const OPENAI_API_KEY = "sk-svcacct-XXXXXXXXXXXXXXXXXXXXXXXX";
```

The prefix “sk-proj-“ typically represents a project-scoped secret key associated with a specific project environment, inheriting its usage limits and billing configuration. The “sk-svcacct-“ prefix generally denotes a service account–based key intended for automated backend services or system integrations.

Regardless of type, both keys function as privileged authentication tokens that enable direct access to AI inference services and billing resources. When embedded in client-side code, they are fully exposed and can be immediately harvested and misused by threat actors.

GitHub as a High-Fidelity Source of AI Secrets

Public GitHub repositories have emerged as one of the most reliable discovery surfaces for exposed ChatGPT API keys. During development, testing, and rapid prototyping, developers frequently hardcode OpenAI credentials into source code, configuration files, or .env files—often with the intent to remove or rotate them later. In practice, these secrets persist in commit history, forks, and archived repositories.

CRIL analysis identified over 5,000 GitHub repositories containing hardcoded OpenAI API keys. These exposures span JavaScript applications, Python scripts, CI/CD pipelines, and infrastructure configuration files. In many cases, the repositories were actively maintained or recently updated, increasing the likelihood that the exposed keys were still valid at the time of discovery.

Notably, the majority of exposed keys were configured to access widely used ChatGPT models, making them particularly attractive for abuse. These models are commonly integrated into production workflows, increasing both their exposure rate and their value to threat actors.

Once committed to GitHub, API keys can be rapidly indexed by automated scanners that monitor new commits and repository updates in near real time. This significantly reduces the window between exposure and exploitation, often to hours or even minutes.

Public Websites: Persistent Exposure in Production Environments

Beyond source code repositories, CRIL observed widespread exposure of ChatGPT API keys directly within production websites. In these cases, API keys were embedded in client-side JavaScript bundles, static assets, or front-end framework files, making them accessible to any user inspecting the application.

CRIL identified approximately 3,000 public-facing websites exposing ChatGPT API keys in this manner. Unlike repository leaks, which may be removed or made private, website-based exposures often persist for extended periods, continuously leaking secrets to both human users and automated scrapers.

These implementations frequently invoke ChatGPT APIs directly from the browser, bypassing backend mediation entirely. As a result, exposed keys are not only visible but actively used in real time, making them trivial to harvest and immediately abuse.

As with GitHub exposures, the most referenced models were highly prevalent ChatGPT variants used for general-purpose inference, indicating that these keys were tied to live, customer-facing functionality rather than isolated testing environments. These models strike a balance between capability and cost, making them ideal for high-volume abuse such as phishing content generation, scam scripts, and automation at scale.

Hard-coding LLM API keys risks turning innovation into liability, as attackers can drain AI budgets, poison workflows, and access sensitive prompts and outputs. Enterprises must manage secrets and monitor exposure across code and pipelines to prevent misconfigurations from becoming financial, privacy, or compliance issues.  

Kaustubh Medhe, CPO, Cyble

From Exposure to Exploitation: How Attackers Monetize AI Keys

Threat actors continuously monitor public websites, GitHub repositories, forks, gists, and exposed JavaScript bundles to identify high-value secrets, including OpenAI API keys. Once discovered, these keys are rapidly validated through automated scripts and immediately operationalized for malicious use.

Compromised keys are typically abused to:

• Execute high-volume inference workloads
• Generate phishing emails, scam scripts, and social engineering content
• Support malware development and lure creation
• Circumvent usage quotas and service restrictions
• Drain victim billing accounts and exhaust API credits

In certain cases, CRIL, using Cyble Vision, also identified several of these keys that originated from exposures and were subsequently leaked, as noted in our spotlight mentions. (see Figure 2 and Figure 3)

Unlike traditional conventions, AI API activity is often not integrated into centralized logging, SIEM monitoring, or anomaly detection frameworks. As a result, malicious usage can persist undetected until organizations encounter billing spikes, quota exhaustion, degraded service performance, or operational disruptions.

Conclusion

The exposure of ChatGPT API keys across thousands of websites and tens of thousands of GitHub repositories highlights a systemic security blind spot in the AI adoption lifecycle. These credentials are actively harvested, rapidly abused, and difficult to trace once compromised.

As AI becomes embedded in business-critical workflows, organizations must abandon the perception that AI integrations are experimental or low risk. AI credentials are production secrets and must be protected accordingly.

Failure to secure them will continue to expose organizations to financial loss, operational disruption, and reputational damage.

SOC teams should take the initiative to proactively monitor for exposed endpoints using monitoring tools such as Cyble Vision, which provides users with real-time alerts and visibility into compromised endpoints.

This, in turn, allows them to take corrective action to identify which endpoints and credentials were compromised and secure any compromised endpoints as soon as possible.

Our Recommendations

Eliminate Secrets from Client-Side Code

AI API keys must never be embedded in JavaScript or front-end assets. All AI interactions should be routed through secure backend services.

Enforce GitHub Hygiene and Secret Scanning

• Prevent commits containing secrets through pre-commit hooks and CI/CD enforcement
• Continuously scan repositories, forks, and gists for leaked keys
• Assume exposure once a key appears in a public repository and rotate immediately
• Maintain a complete inventory of all repositories associated with the organization, including shadow IT projects, archived repositories, personal developer forks, test environments, and proof-of-concept code
• Enable automated secret scanning and push protection at the organization level

Apply Least Privilege and Usage Controls

• Restrict API keys by project scope and environment (separate dev, test, prod)
• Apply IP allowlisting where possible
• Enforce usage quotas and hard spending limits
• Rotate keys frequently and revoke any exposed credentials immediately
• Avoid sharing keys across teams or applications

Implement Secure Key Management Practices

• Store API keys in secure secret management systems
• Avoid storing keys in plaintext configuration files
• Use environment variables securely and restrict access permissions
• Do not log API keys in application logs, error messages, or debugging outputs
• Ensure keys are excluded from backups, crash dumps, and telemetry exports

Monitor AI Usage Like Cloud Infrastructure

Establish baselines for normal AI API usage and alert on anomalies such as spikes, unusual geographies, or unexpected model usage.

The post When AI Secrets Go Public: The Rising Risk of Exposed ChatGPT API Keys appeared first on Cyble.

RESEARCH DISCLAIMER:  
This analysis examines the most recent and actively maintained repositories of OTP & SMS bombing tools to understand current attack capabilities and targeting patterns. All statistics represent observed patterns within our research sample and should be interpreted as indicative trends rather than definitive totals of the entire OTP bombing ecosystem. The threat landscape is continuously evolving with new tools and repositories emerging regularly. 

Executive Summary

Cyble Research and Intelligence Labs (CRIL) identified sustained development activity surrounding SMS, OTP, and voice-bombing campaigns, with evidence of technical evolution observed through late 2025 and continuing into 2026. Analysis of multiple development artifacts reveals progressive expansion in regional targeting, automation sophistication, and attack vector diversity.

Recent activity observed through September and October 2025, combined with new application releases in January 2026, indicates ongoing campaign persistence. The campaigns demonstrate technical maturation from basic terminal implementations to cross-platform desktop applications with automated distribution mechanisms and advanced evasion capabilities.

CRIL's investigation identified coordinated abuse of authentication endpoints across the telecommunications, financial services, e-commerce, ride-hailing, and government sectors, collectively targeting infrastructure in West Asia, South Asia, and Eastern Europe.

Key Takeaways

• Persistent Evolution: Repository modifications observed through late 2025, with new regional variants released in January 2026
• Cross-Platform Advancement: Transition from terminal tools to Electron-based desktop applications with GUI and auto-update mechanisms
• Multi-Vector Capabilities: Combined SMS, OTP, voice call, and email bombing, enabling sustained harassment campaigns
• Performance Optimization: Implementation in Go, claiming significant speed advantages with FastHTTP library integration
• Advanced Evasion: Proxy rotation, User-Agent randomization, request timing variation, and concurrent execution capabilities (75% SSL bypass prevalence)
• Broad Infrastructure Exposure: ~843 authentication endpoints across ~20 repositories spanning multiple industry verticals
• Low Detection Rates: Multi-stage droppers and obfuscation techniques evade antivirus detection at the time of analysis

Discovery and Attribution

What began in the early 2020s as isolated SMS bombing pranks among tech-savvy individuals has evolved into a sophisticated ecosystem of automated harassment tools. An "SMS bomber" or "TP Bombers" can overwhelm a phone number with a barrage of automated text messages - initially emerged as rudimentary Python scripts shared on coding forums.

These early implementations were crude, targeting only a handful of regional service providers and using manually collected API endpoints. Given the dramatic transformation of the digital threat landscape in recent years, driven by the proliferation of public code repositories, the commoditization of attack tools, and the increasing sophistication of threat actors.

Our investigation into this evolving threat began with routine monitoring of malicious code repositories and underground discussion forums. What we discovered was far more extensive: a well-organised, rapidly expanding ecosystem characterized by cross-platform tool development, international collaboration among threat actors, and an alarming trend toward commercialization.

Repository Analysis and Dataset Composition

Malicious actors have weaponised GitHub as a distribution platform for SMS and OTP-bombing tools, creating hundreds of malicious repositories since 2022. Our investigation analyzed around 20 of the most active and recently maintained repositories to characterize current attack capabilities.

Across these repositories, there are ~843 vulnerable, catalogued  API endpoints from legitimate organizations: e-commerce platforms, financial institutions, government services, and telecommunications providers.

Each endpoint lacks adequate rate limiting or CAPTCHA protection, enabling automated exploitation. Target lists span seven geographic regions, with concentrated focus on India, Iran, Turkey, Ukraine, and Eastern Europe.

Repository maintainers provide tools in seven programming languages and frameworks, from simple Python scripts to cross-platform GUI applications. This diversity enables attackers with minimal technical knowledge to execute harassment campaigns without understanding the underlying exploitation mechanics.

Attack Ecosystem: By The Numbers

Our analysis of active SMS bombing repositories gives us an insight into the true scale and sophistication of this threat landscape:

Regional Targeting Distribution

Iran-focused endpoints dominate the observed sample at 61.68% (~520 endpoints), followed by India at 16.96% (~143 endpoints). This concentration suggests coordinated development efforts targeting specific telecommunications infrastructure.

Web-Based SMS Bombing Services

Accessibility and Threat Escalation

In parallel with the open-source repository ecosystem, a thriving commercial sector of web-based SMS-bombing services exists.

These platforms represent a significant escalation in threat accessibility, removing all technical barriers to conducting attacks. Unlike repository-based tools that require users to download code, configure environments, and execute commands, these web services offer point-and-click interfaces accessible from any browser or mobile device.

Deceptive Marketing Practices

Our analysis identified numerous active web services operating openly via search-engine-indexed domains. These services employ sophisticated marketing strategies, positioning themselves as 'SMS prank tools' or 'SMS testing services' while providing the exact functionality required for harassment campaigns.

Data Harvesting and Resale Operations

Although these websites present themselves as benign prank tools, they operate a predatory data-collection model in which users' phone numbers are systematically harvested for secondary exploitation. These collected contact numbers are subsequently used for spam campaigns and scam operations, or monetized through resale as lead lists to third-party spammers and scammers. This creates a dual-threat model: users inadvertently expose both their targets and themselves to ongoing spam victimization, while platform operators profit from both service fees and the commodification of harvested contact data.

Technical Analysis

Attack Methodology

SMS bombing attacks follow a predictable workflow that exploits weaknesses in API design and implementation.

Phase 1: API Discovery

Attackers identify vulnerable OTP endpoints through multiple techniques:

• Manual Testing: Identifying login pages and registration forms that trigger SMS verification
• Automated Scanning: Using tools to probe common API paths like /api/send-otp, /verify/sms, /auth/send-code
• Source Code Analysis: Examining mobile applications and web applications for hardcoded API endpoints
• Shared Intelligence: Leveraging community-maintained lists of vulnerable endpoints on forums and GitHub

Industry Sector Targeting Patterns

Our analysis reveals systematic targeting across multiple industry verticals, with telecommunications and authentication services comprising nearly half of all observed endpoints.

Phase 2: Tool Configuration

Modern SMS bombing tools require minimal setup:

• Multi-threading: Simultaneous requests to multiple APIs
• Proxy Support: Rotation of IP addresses to evade rate limiting
• Randomization: Variable delays between requests to appear more legitimate
• Persistence: Automatic retry mechanisms and error handling
• Reporting: Real-time statistics on successful message deliveries

Attacker Technology Stack Evolution

A detailed analysis of the ~20 repositories reveals significant technical sophistication and platform diversification:

Phase 3: Attack Execution

Once configured, the tool initiates a flood of legitimate-looking API requests.

Attack Vector Prevalence Analysis

Our analysis reveals the distribution of attack methods across the ~843 observed endpoints:

Technical Sophistication: Evasion Techniques

Analysis of the ~20 repositories reveals widespread adoption of anti-detection measures designed to bypass common security controls.

Impact Assessment

Individual Users

For end users targeted by SMS bombing attacks, the consequences include:

Organizations

Businesses whose APIs are exploited face multiple challenges:

Mitigation Strategies: Evidence-Based Recommendations

Based on analysis of successful bypass techniques across ~20 repositories, the following mitigation strategies are prioritized by effectiveness against observed attack patterns. Implementation of these controls addresses the primary exploitation vectors identified in our research.

For Service Providers (API Owners)

CRITICAL Priority

HIGH Priority

For Enterprises (API Consumers)

For Individuals

Conclusion

The SMS/OTP bombing threat landscape has matured significantly between 2023 and 2026, evolving from simple harassment tools into sophisticated attack platforms with commercial distribution. Our analysis of ~20 repositories containing ~843 endpoints reveals systematic targeting across multiple industries and regions, with concentration in Iran (61.68%) and India (16.96%).

The emergence of Go-based high-performance tools, cross-platform GUI applications, and Telegram bot interfaces indicates the professionalization of this attack vector. With 75% of analyzed tools implementing SSL bypass and 58% using User-Agent randomization, defenders face sophisticated adversaries simultaneously employing multiple evasion techniques.

Organizations must prioritize comprehensive rate limiting, dynamic CAPTCHA implementation, and robust monitoring to achieve the projected 85%+ attack prevention effectiveness. The financial impact—potentially exceeding $50,000 monthly for unprotected endpoints—justifies immediate investment in defensive measures.

As the ecosystem continues to evolve, continuous monitoring of underground forums, repository activity, and emerging attack patterns remains essential for maintaining effective defenses against this persistent threat.

MITRE ATT&CK® Techniques

The post SMS & OTP Bombing Campaigns: Evolving API Abuse Targeting Multiple Regions appeared first on Cyble.

Executive Summary

Cyble Research & Intelligence Labs (CRIL) has identified a Linux intrusion chain leveraging a highly obfuscated, fileless loader that deploys a weaponized variant of hackshell entirely from memory. Cyble tracks this activity under the name ShadowHS, reflecting its fileless execution model and lineage from the original hackshell utility. Unlike conventional Linux malware that emphasizes automated propagation or immediate monetization, this activity prioritizes stealth, operator safety, and long‑term interactive control over compromised systems.

The loader decrypts and executes its payload exclusively in memory, leaving no persistent binary artifacts on disk. Once active, the payload exposes an interactive post‑exploitation environment that aggressively fingerprints host security controls, enumerates defensive tooling, and evaluates prior compromise before enabling higher‑risk actions. While observed runtime behaviour remains deliberately conservative, payload analysis reveals a broad set of latent capabilities, including fingerprinting, credential access, lateral movement, privilege escalation, cryptomining, memory inspection, and covert data exfiltration.

Notably, the framework includes operator‑driven data exfiltration mechanisms that avoid traditional network transports altogether, instead abusing user‑space tunneling to stage or extract data in a manner designed to evade firewall controls and endpoint monitoring.

This clear separation between restrained runtime behaviour and extensive dormant functionality strongly suggests deliberate operator tradecraft rather than commodity malware logic. Overall, the activity reflects a mature, multi‑purpose Linux post‑compromise platform optimized for fileless execution, interactive control, and situationally adaptive expansion.

Key Takeaways

• The payload is not a standalone malware binary but a weaponized post-exploitation framework, derived from hackshell and adapted for long-term, interactive operator use.
• Incorporates fileless execution as its core design principle. The payload executes from anonymous file descriptors, spoofs argv[0], and avoids persistent filesystem artifacts, significantly complicating detection and forensic reconstruction.
• Runtime behaviour is intentionally restrained. The payload initially focuses on environmental awareness, security control discovery, and operator safety, while destructive or noisy actions remain dormant unless explicitly invoked.
• The framework includes covert, operator‑initiated data staging and exfiltration primitives that abuse user‑space tunneling and legitimate administrative tooling, enabling stealthy data movement even in tightly restricted network environments.
• The presence of extensive EDR/AV fingerprinting, kernel integrity checks, and in-memory malware detection suggests the operator expects to operate in defended enterprise environments rather than opportunistic or unmanaged systems.
• Dormant modules for credential access, lateral movement, crypto-mining, and anti-competition cleanup indicate that the payload can be dynamically repurposed based on operator intent, without altering the loader or redeploying artifacts.
• Overall, the tradecraft observed aligns more closely with advanced intrusion tooling or red-team frameworks than with commodity Linux malware, emphasizing flexibility, stealth, and manual control over automation.

Technical Analysis

The analyzed intrusion chain consists of two primary components:

1. A multi-stage, encrypted shell loader responsible for payload decryption, reconstruction, and fileless execution.
2. An in-memory payload that resolves to a heavily modified version of hackshell, weaponised into a full-featured operator framework. It can download other malware components (such as kernel exploits, cryptominer, and fingerprinting modules) as required by the operator.

Design choices observed throughout the chain—including encrypted embedded payloads, execution context awareness, argv spoofing, and extensive OPSEC logic—indicate a toolset intended for controlled post‑exploitation rather than mass exploitation. The framework enables operators to assess host posture, remain undetected for extended periods, and selectively activate additional capabilities.

The infection flow begins with execution of the obfuscated shell loader, which decrypts an embedded payload using AES‑256‑CBC, reconstructs it in memory, and executes it directly via /proc/<pid>/fd/<fd>. At no stage is the payload written to disk.

Once executed, the payload initializes an interactive shell environment. From this point forward, all activity is explicitly operator‑driven. Rather than automatically deploying miners, extracting data, or attempting propagation, the framework prioritizes reconnaissance, defensive awareness, and operational security. Advanced actions—such as covert data exfiltration using user‑space tunnels, credential harvesting, or privilege escalation—are available on demand, reinforcing that this tooling is designed for deliberate, long‑term intrusion operations rather than noisy, automated campaigns.

At first glance, the malware appears to contain 3 lines of heavily obfuscated shell code, where we see a high-entropy payload assigned to the special shell variable _ & staged text-encoded payload staged and emitted via shell escape processing ($'...'). (See Figure 1)

Loader Script

Upon analysis, it turned out to be a multi-stage, encrypted Linux loader with embedded payload written in POSIX shell, leveraging OpenSSL, Perl, and gzip to decrypt, decompress, and execute a payload entirely in memory. (See Figure 2)

The malware demonstrates tradecraft consistent with mature red-team tooling or advanced post-compromise frameworks, rather than commodity botnet loaders. Key characteristics include:

• Password-protected AES-256-CBC encrypted payload
• Dynamic execution path detection (source vs eval vs exec)
• Fileless execution with argv spoofing
• Environment hardening to evade logging
• Live system security introspection
• Operator-facing interactive CLI

Dependency Validation

Upon execution, the loader validates runtime dependencies (openssl, perl, gunzip) required for decryption and decompression. The absence of any fallback logic suggests targeted, operator-controlled attacks rather than opportunistic mass exploitation. (See Figure 3)

Credential-Based Payload Decryption

The loader contains an embedded Base64-encoded password and an encrypted control blob, both of which are decrypted using OpenSSL. During execution, the decrypted value (R=4817) is used as a byte offset to skip a binary header during stream reconstruction. The decryption command is dynamically assembled at runtime:

echo S1A76XhLvaqIQ+7WsT+Euw== | openssl enc -d -aes-256-cbc -md sha256 -nosalt -k C-92KemmzRUsREnkdk-SMxUoJy8yHhmItvA -a -A

This ensures that the compressed payload cannot be recovered statically without the full execution context.

Execution Context Awareness

Execution culminates in an interactive post-exploitation environment that explicitly minimizes filesystem artifacts, enumerates system security posture, and adapts execution based on shell context (Bash/Zsh). (See Figure 4)

The loader dynamically determines how it was invoked in order to guarantee correct payload execution — a pattern uncommon in commodity malware but common in operator-driven frameworks :

• Source execution: $BASH_SOURCE[0]
• Eval execution: $BASH_EXECUTION_STRING
• Direct file execution: $0
• Zsh compatibility: $ZSH_EVAL_CONTEXT

Payload Reconstruction & Fileless Execution

The payload is reconstructed through a multi-stage decoding pipeline consisting of Perl marker translation, AES-256-CBC decryption, Perl byte skipping (R=4817), and gzip decompression. The resulting binary is executed directly from memory via /proc/<pid>/fd/<f> using exec, with a spoofed argv[0] (${0:-python3}) (See Figure 5)

This ensures the payload never touches disk, evades file-integrity monitoring and traditional AV inspection, and obscures process attribution during incident response.

Importantly, all arguments passed to the loader are forwarded to the payload unchanged. This enables operator-controlled execution modes and on-demand behavior while keeping the loader's behavior static—a deliberate tradecraft choice that complicates detection strategies that rely on argument patterns.

Weaponized Hackshell

Once decrypted and executed directly from memory, the payload resolves to a heavily modified variant of hackshell, repurposed from a lightweight post-exploitation helper into a fully operator-driven intrusion framework. At runtime, it presents an interactive shell and explicitly signals that it avoids filesystem writes, immediately establishing intent for long-lived, low-noise operator interaction rather than smash-and-grab activity.

Payload Capabilities

The payload begins by fingerprinting the host and reporting environmental context back to the operator, including OS details, active users, PTYs, and privilege boundaries. This early-stage reconnaissance indicates that the operator is expected to make informed manual decisions rather than rely on fully automated tasking. (See Figure 6)

Expanded EDR / AV fingerprinting

The payload performs aggressive EDR and AV discovery using both filesystem path checks and service-state enumeration. Compared to upstream hackshell, this variant significantly expands coverage to include commercial EDR platforms, cloud agents, OT/ICS tooling, and telemetry collectors.

• Notable file-path-based detections (_hs_chk_fn) include CrowdStrike, LimaCharlie, Tanium, OTEL collectors, cloud vendor agents (Qcloud, Argus agent). (See Figure 7.1)
• Service-based detections (_hs_chk_systemd) include Falcon Sensor,  Cybereason, Elastic Agent, Sophos Intercept X & SPL, Cortex XDR, WithSecure, Wazuh, Rapid7, and Microsoft Defender (mdatp). (See Figure 7.2)

These checks are surfaced directly to the operator, reinforcing that this is an interactive intrusion tool rather than a background implant.

Anti-competition Logic

The malware implements robust anti-competition logic designed to identify and terminate rival miners and in-memory implants. It actively hunts for competing malware families such as Rondo and Kinsing, detects kernel rootkits via LKM and kernel-taint checks, and enumerates deleted or memfd-backed executables.

The payload collects PIDs associated with XMRig miners, UPX-packed binaries, and related scripts. It contains explicit logic to detect and kill Ebury — a well-known OpenSSH credential-stealing backdoor targeting Linux servers.

In parallel, the framework performs deep security posture introspection by enumerating kernel protections such as AppArmor, inspecting loaded kernel modules, and surveying /proc for indicators of instrumentation or prior compromise.

This enables the operator to rapidly assess whether the host is already infected, monitored, or hardened. (See Figure 8)

PATH manipulation, combined with TMPDIR and HOME relocation, further enables command shadowing and the execution of helper binaries from memory-backed locations, reducing forensic residue and enhancing operational flexibility.

Dormant / On‑Demand Capabilities

While runtime execution remains restrained, analysis of the payload code reveals a broad set of dormant capabilities that can be invoked on demand via operator commands or invocation arguments.

Notable on-demand capabilities include:

• Execution gating via _once() to ensure certain actions run only once per host or session.
• Memory dumping routines capable of extracting & dumping credentials/secrets from live processes. (See Figure 9)

• SSH-based network scanning and lateral movement tooling, including support for legacy cryptographic algorithms. (See Figure 10)

• Credential theft targeting AWS credentials, SSH keys, GitLab, Bitrix database, WordPress database, OpenStack user data, Yandex Cloud user data, Docker, Proxmox VMs and LXC, OpenVZ, and user HOME directory.
• Privilege escalation via execution of exploits downloaded from hardcoded C2 infrastructure. During analysis, multiple kernel exploits, an auto-exploitation script & a C source file were recovered from the C2 server. (Hashes mentioned in the IOC section) (See Figure 11)

Cryptomining

The framework implements multiple CPU and GPU cryptocurrency mining workflows, including XMRig, XMR-Stak, GMiner, and lolMiner, with pool failover logic. Miner configuration dynamically sources worker identifiers from bootcfg*.data files and executes miners through a wrapper (./-bash-screen) using password strings such as c=XMR,mc=${COIN_NAME}, where COIN_NAME defaults to "${1:-FREN}".

GMiner operates using the Kawpow algorithm with configured intensity, while additional miners target RYO and ETCHASH using CUDA backends and hardcoded wallet addresses and pools, including infrastructure at 204.93.253[.]180. (See Figure 12)

• GMiner implemented in gpu() uses kawpow algorithm with 75 intensity
  • Wallet address – 88H9UmU6QyYiGeZdR6hXZJXtJF9Z8zLHDQbC1NV1PDdjCynBq3QKzB1fo1NRhgMX4cBx68Rva5msyKW3PGXfPhCA4itHmiv
  • 87YLCx7zEFghgMEeZvJCZ3gHyS3fUsbAnXSTH8nh8EP7SeptPH8Pnh18snravwhE3dfRt5x67aWo8e6tSJ2cv4mpRNkSdqL

• Pool priority used by miner
  • 204.93.253[.]180 at port 4080
  • Kawpow.na.mine.zergpool[.]com at port 3638
  • Kawpow.asia.mine.zergpool[.]com at port 3638
  • kawpow.eu.mine.zergpool[.]com at port 3638

The other 2 miners’ details are:

• XMR-Stak (gpustak())
  • Wallet address – RYoNsBiFU6iYi8rqkmyE9c4SftzYzWPCGA3XvcXbGuBYcqDQJWe8wp8NEwNicFyzZgKTSjCjnpuXTitwn6VdBcFZEFXLcY4DwEsWGnj1SC1Sgq
  • Backend - CUDA (libxmrstak_cuda_backend.so)
  • Coin payout – RYO
  • Pool server - 204.93.253[.]180:3080

• LolMiner (gpuecho())
  • Wallet address – 0xd67f158b2bcc819eee7029f3477f0270ec1d37b4
  • Algorithm – ETCHASH
  • Pool server - 204.93.253[.]180:1080

Covert Data Staging and Exfiltration via GSocket‑Backed rsync

The payload implements dedicated data staging helpers (rs() and rs1()) that enable stealthy exfiltration of files or directories from the compromised host using rsync, while deliberately avoiding conventional network transports such as SSH, SCP, or SFTP. Instead of relying on standard TCP connections, the payload replaces rsync's transport layer via the -e option with GSocket user‑space tunnels (gs-dbus and gs-netcat), allowing file transfers to traverse covert channels that are rarely monitored by security tooling.

Both functions route traffic through a hardcoded GSocket rendezvous endpoint (62.171.153[.]47) and authenticate sessions using an operator‑supplied token ($rsynccode). The apparent destination (127.1:.) is intentionally misleading. However, it resembles a loopback address; the connection is intercepted by GSocket before reaching the local networking stack, enabling remote file transfer without opening inbound ports or establishing visible outbound sessions. This technique allows the operator to exfiltrate data even from hosts protected by restrictive firewall or egress filtering policies.

Two transport variants are provided. The rs() function leverages DBus‑based tunneling (gs-dbus), favoring stealth in environments where DBus traffic is common and rarely inspected. The rs1() variant uses a netcat‑style GSocket tunnel (gs-netcat), offering higher throughput for bulk transfers at the cost of slightly increased visibility. (See Figure 13)

Both modes preserve file permissions, timestamps, and partial transfer state, indicating deliberate support for long‑running, interruption‑tolerant exfiltration workflows rather than opportunistic data theft.

Lateral Movement

For lateral movement, the malware performs automated discovery and brute-force attempts against SSH services by using open-source tools.

• Rustscan, a modern port scanner used to identify reachable SSH endpoints (with configurable target) and output the result in oG format (output Greppable), meant to be consumed by spirit. This serves as an attack surface for brute-force attacks.
• Next, it downloads & extracts spirit (another penetration testing tool) to the local directory, renames it to –bash, cleans up artifacts, & runs it to grab banners (to determine version info.) & brute-force SSH logins against hosts in h.lst using default credentials. (See Figure 14)

Integrated Assessment

The payload exhibits a deliberate dual-layer design. The default runtime layer emphasizes reconnaissance, memory-only execution, stealth, and interactive control. The dormant, on-demand layer enables crypto-mining, privilege escalation, memory theft, covert staging & exfiltration, lateral movement, and C2-driven updates, allowing operators to expand impact opportunistically without increasing detection surface.

Combined with the loader's fileless execution model, this malware is optimized for long-term presence, operational flexibility, and defensive evasion. It is not characteristic of commodity Linux malware; instead, it reflects a mature, multi-purpose post-exploitation framework built around interactive operator control.

Conclusion

Together, the loader and payload analyzed in this report demonstrate a highly mature Linux post‑exploitation framework designed for stealth, flexibility, and long-term operator control.

Rather than focusing on immediate or obvious impact, the malware emphasizes situational awareness, evasion of defenses, and the selective activation of capabilities based on real-time operator judgment and environmental factors.

This behavior is unusual for standard Linux malware. Instead, it shows intentional design choices typical of advanced intrusion tools, prioritizing operational safety, flexibility, and durability over automation and scale.

The framework's comprehensive security review, along with its fileless execution approach, argument-driven modularity, and operator-controlled data movement methods, allows customized per-host operations while keeping a consistently low-profile execution environment.

The weaponization of the original hackshell utility further highlights this intent. Equipped with features for cryptomining, lateral movement tools, exploit delivery methods, covert data staging, and exfiltration primitives, along with aggressive OPSEC measures, the payload is clearly meant for long-term access and targeted monetization rather than widespread distribution.

Therefore, effective detection and disruption require visibility into in-memory execution, process behavior, and kernel-level telemetry, as traditional file-based and signature-driven controls are unlikely to offer enough coverage against this type of threat.

Cyble's Threat Intelligence Platforms continuously monitor emerging threats, phishing infrastructure, and malware activity across the dark web, deep web, and open sources. This proactive intelligence empowers organizations with early detection, brand and domain protection, infrastructure mapping, and attribution insights. Altogether, these capabilities provide a critical head start in mitigating and responding to evolving cyber threats.

Our Recommendations

We have listed some essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers follow the best practices given below:

Defenders should prioritize behavioral detection over static signatures for staying protected against attacks like ShadowHS

• Execution of ELF binaries from /proc/<pid>/fd/<fd>
• OpenSSL decryption invoked from shell or Perl pipelines reconstructing executables.
• Full execution strings from bash‑memory and Perl one‑liners invoking syscalls.
• Shell scripts performing dependency validation for openssl, perl & gunzip.
• Extensive enumeration of /proc/*/exe for deleted or memfd-backed binaries
• GDB is being invoked against live processes for memory dumping
• PATH prefixed with . in interactive shells
• Abuse of legitimate synchronization or transfer utilities over non‑standard execution transports for data staging or exfiltration.
• Monitor for argv spoofing anomalies where executable path is not equal to the cmdline name & alert on memory-only processes, specifically interactive shells running without backing executables.
• Monitor perl exec{} pattern with anonymous file descriptors.
• Add rules for AES-CBC -nosalt misuse in shell pipelines.
• Track outbound data transfers initiated via user‑space tunnels or non‑standard rsync transports.

Cloud & Container Environments

This framework explicitly checks for cloud agents and monitoring tools. In cloud-hosted Linux environments:

• Treat unexpected /proc scanning and kernel module enumeration as high-risk
• Monitor for SSH brute‑force or reconnaissance tooling launched post‑compromise (e.g., rustscan, spirit)
• Watch for GPU utilization spikes tied to hidden –bash-screen sessions
• Alert on data movement from compute workloads using atypical synchronization or tunnelling mechanisms.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

The post ShadowHS: A Fileless Linux Post‑Exploitation Framework Built on a Weaponized hackshell appeared first on Cyble.

Executive Summary

deVixor is an actively developed Android banking malware campaign operating at scale, targeting Iranian users through phishing websites that masquerade as legitimate automotive businesses.

Distributed as malicious APK files, deVixor has evolved from a basic SMS-harvesting threat into a fully featured Remote Access Trojan (RAT) that combines banking fraud, credential theft, ransomware, and persistent device surveillance within a single platform.

Active since October 2025, Cyble Research and Intelligence Lab’s (CRIL) analysis of over 700 samples indicates with high confidence that the threat actor has been conducting a mass infection campaign leveraging Telegram-based infrastructure, enabling centralized control, rapid updates, and sustained campaign evolution.

Key Takeaways

• deVixor is a sophisticated Android banking trojan that combines financial data theft, device surveillance, and remote control into a single malware platform.
• The malware is actively distributed through fake websites posing as legitimate automotive businesses, tricking users into installing malicious APK files.
• deVixor extensively harvests SMS-based financial information, including OTPs, account balances, card numbers, and messages from banks and cryptocurrency exchanges.
• It leverages WebView-based JavaScript injection to capture banking credentials by loading legitimate banking pages inside a WebView.
• The malware includes a remotely triggered ransomware module capable of locking devices and demanding cryptocurrency payments.
• deVixor uses Firebase for command delivery and Telegram-based bot infrastructure for administration, allowing attackers to manage infections at scale and evade traditional detection mechanisms.

Overview

Android banking malware has progressed well beyond basic credential-harvesting threats, evolving into sophisticated remote access toolkits maintained as persistent, service-driven criminal operations.

During our ongoing analysis of malicious sites, we uncovered deVixor, a previously underreported Android Remote Access Trojan (RAT) actively distributed via fraudulent websites masquerading as legitimate automotive companies.

These sites lure victims with heavily discounted vehicle offers and trick them into downloading a malicious APK, which ultimately installs the deVixor malware on the device.

Some of the malicious URLs distributing deVixor RAT are:

• hxxp://asankhodroo[.]shop
• hxxp://www[.]asan-khodro.store
• hxxp://www[.]naftyar.info/naftman.apk
• hxxp://abfayar[.]info/abfa.apk
• hxxps://blupod[.]site/blupod.apk
• hxxps://naftman[.]oghabvip.ir/naftman.apk
• hxxp://vamino[.]online.infochatgpt.com/vamino.apk
• hxxps://lllgx[.]site/mm/V6.apk

CRIL identified more than 700 samples of multiple variants of the deVixor RAT from October 2025. Early versions of the malware exhibited limited functionality, primarily focused on collecting PII and harvesting banking-related SMS messages.

Subsequent variants showed a clear evolution in capabilities, introducing banking-focused overlay attacks, keylogging, ransomware attacks, Google Play Protect bypass techniques, and extensive abuse of Android’s Accessibility Service.

Our investigation also uncovered a Telegram channel operated by the threat actor, which was created shortly after the initial development of deVixor RAT and was actively used to publish version updates, promote new capabilities, and share operational screenshots.

Notably, screenshots posted in the channel reveal numerous devices that are simultaneously infected, each associated with a unique Bot ID (referred to by the actor as a “Port”), suggesting an active campaign operating at scale.

The channel’s growing subscriber base further supports the assessment that deVixor is being maintained and distributed as an ongoing criminal service rather than a short-lived operation. (See Figures 1, 2, and 3)

The deVixor RAT leverages a Telegram bot–based administrative panel for issuing commands. Each deployed APK is assigned a unique Bot ID stored in a local port.json file, enabling the operator to track, monitor, and control individual infected devices.

Once registered, the operator receives real-time updates via Telegram and can issue commands that are relayed to infected devices through backend infrastructure. Figure 4 illustrates the available administrative actions and operational updates as observed in the threat actor’s Telegram channel. (see Figure 4)

Multiple indicators suggest that the campaign is regionally focused. Linguistic artifacts observed in Telegram communications, operator messages, and hardcoded strings within the APK, combined with the exclusive targeting of Iranian banks, domestic payment services, and local cryptocurrency exchanges, strongly indicate that Iranian users are the primary targets of this operation. The use of Persian-language user interface elements in phishing overlays further reinforces this assessment.

DeVixor demonstrates how modern Android banking malware has evolved into a scalable, service-driven criminal platform capable of compromising devices over the long term and facilitating financial abuse.

Its active development, growing feature set, and reliance on legitimate platforms such as Telegram for command-and-control pose a significant risk to Android users. The next section provides a detailed technical analysis of deVixor RAT’s functionality, command structure, and abuse mechanisms observed across multiple variants.

Technical Analysis

Upon installation, the deVixor RAT prompts victims to grant permissions to access SMS messages, contacts, and files. In newer variants, it additionally requests Accessibility service permissions. (see Figure 5)

Once the required permissions are granted, the malware establishes communication with Firebase to receive commands from the threat actor. In parallel, deVixor decrypts a hardcoded alternate Command-and-Control (C&C) server URL, which is used to exfiltrate the collected data.

Overall, deVixor relies on two distinct servers for its operations: (see Figure 6)

• Firebase server – used for receiving commands
• C&C server – used for transmitting stolen data

Bank Information Harvesting

The deVixor RAT uses multiple techniques to steal banking information. One of its main approaches involves collecting banking-related data from SMS messages. In addition, deVixor leverages a WebView injection technique to redirect victims to banking pages, where JavaScript-based injections are used to capture login credentials and other sensitive financial information.

SMS-Based Banking Data Harvesting

deVixor has implemented multiple commands to harvest banking information, including card details, bank balance amounts, SMSs coming from banks and crypto applications, and OTPs:

GET_BANK_BALANCE Command

The command scans up to 5,000 SMS messages on the infected device to identify banking-related content, extract account balances and OTPs, and associate them with known Iranian banks using a hardcoded set of sender and bank keyword signatures.

It applies regular expressions to parse balances and OTP codes, checks whether the corresponding official banking applications are installed, and exfiltrates the results as a structured JSON response under the GET_ACCOUNT_SUMMARY command.

The report includes the bank name, balance, OTP availability and value, app installation status, and the total number of identified banks. (see Figure 7)

GET_CARD_NUMBER Command

Similar to the previous command, deVixor scans all SMS messages in the infected device’s inbox to identify credit and debit card numbers. It uses regular expressions to detect and validate card numbers, then exfiltrates the extracted information to the C&C server.

GET_EXCHANGE Command

This command scans the victim’s SMS inbox for messages originating from cryptocurrency exchanges and payment services. It extracts recent messages for each identified sender and exfiltrates the collected data to the C&C server. The malware specifically targets SMS messages associated with the following cryptocurrency exchanges (see Figure 8)

• Binance
• CoinEx
• Ramzinex
• Exir
• Tabdeal
• Bitbarg
• TetherLand
• AbanTether
• OkExchange
• ArzDigital
• IranCryptoMarket
• Cryptoland
• Bitex
• Excoino

GET_BANK_SMS Command

Similar to the GET_EXCHANGE command, this command collects the most recent SMS messages sent by known banks and payment services. The harvested messages are returned to the C&C server as a structured JSON response labeled GET_BANK_SMS. Below is the list of banks and payment services targeted by deVixor (see Figure 9)

• Bank Melli Iran
• Bank Mellat
• Bank Tejarat
• Bank Saderat Iran
• Bank Sepah
• Bank Maskan
• Bank Keshavarzi
• Bank Refah
• Bank Pasargad
• Bank Parsian
• Bank Ayandeh
• Bank Saman
• Bank Sina
• Bank Dey
• Post Bank Iran
• Middle East Bank
• Iran Zamin Bank
• Eghtesad Novin Bank
• Karafarin Bank
• Shahr Bank
• Hekmat Iranian Bank
• Industry & Mine Bank
• Export Development Bank of Iran
• Tavon Bank
• BluBank
• Iran Kish

This SMS-based financial information harvesting enables attackers to carry out banking fraud and account takeovers, leading to wallet draining and significant financial losses for victims.

Fake Bank Notification and Credential Harvesting

deVixor uses the “BankEntryNotification” command to generate fraudulent bank notifications designed to lure users into interacting with them. When a victim taps the notification, the malware loads a legitimate banking website inside a WebView and injects malicious JavaScript into the login forms.

Once the user enters their username and password and clicks the login button, the credentials are silently exfiltrated to the C&C server. The figure below illustrates the JavaScript injection technique used for credential harvesting. (see Figure 10)

Ransomware Activity

The deVixor RAT includes an embedded ransomware module that can be remotely triggered using the “RANSOMWARE” command. Upon receiving this command, the malware parses the attacker-supplied parameters, including the ransom note, a TRON cryptocurrency wallet address, and the demanded payment amount.

These details are stored locally in a file named LockTouch.json, which serves as a persistent configuration file to retain the ransomware state across device reboots. The malware then sets an internal locked status and prepares the ransom metadata used by the lock-screen component.

Based on screenshots shared on the threat actor’s Telegram channel, deVixor locks the victim’s device and displays a ransom message stating “Your device is locked. Deposit to unlock”, along with the attacker’s TRON wallet address and a demand of 50 TRX.

The malware also generates a response containing device identifiers and ransom-related details, which is sent back to the C&C server to track victim status and potential compliance. (see Figure 11)

This functionality demonstrates that deVixor is capable of conducting financial extortion, in addition to its existing capabilities for credential theft and user surveillance.

In addition to the features described above, the malware is capable of collecting all device notifications, capturing keystrokes, preventing uninstallation, hiding its presence, harvesting contacts, and taking screenshots. We’ve compiled a full list of supported commands below:

deVixor v1 and v2 Commands

Conclusion

deVixor is a feature-rich Android banking Trojan that reflects the latest evolution of Android malware. It combines SMS-based financial data harvesting, WebView-based JavaScript injection attacks, ransomware capabilities, and full remote device control to facilitate banking fraud, account takeovers, financial extortion, and prolonged user surveillance from a single platform.

The modular command architecture, persistent configuration mechanisms, and an active development cycle all indicate that deVixor is not an isolated campaign, but a maintained and extensible criminal service.

The targeted focus on Iranian banks, payment services, and cryptocurrency platforms highlights deliberate victim profiling and regional specialization.

Cyble's Threat Intelligence Platforms continuously monitor emerging threats, infrastructure, and activity across the dark web, deep web, and open sources. This proactive intelligence empowers organizations with early detection, impersonation, infrastructure mapping, and attribution insights. Altogether, these capabilities provide a critical head start in mitigating and responding to evolving cyber threats.