Executive Summary

Cyble Research and Intelligence Labs (CRIL) has uncovered a targeted cyberespionage campaign leveraging social engineering and trusted infrastructure to establish persistent, covert access to victim systems.

The attack is delivered via phishing emails containing a malicious LNK file disguised within a RAR archive, using a Russian humanitarian aid request form to exploit contextual trust. Evidence of a secondary survey-based lure indicates the threat actor is actively refining delivery techniques.

Execution triggers a stealthy, multi-stage infection chain in which a decoy document is presented to the user while a heavily obfuscated, fileless (PE-less) Python-based implant is silently deployed.

The payload is retrieved from GitHub Releases, enabling the attacker to blend malicious traffic with legitimate services and evade traditional detection mechanisms. Persistence is established through scheduled tasks, ensuring long-term, resilient access.

Once active, the implant operates as a full-spectrum surveillance platform, enabling credential harvesting, keystroke logging, clipboard and screenshot capture, sensitive data exfiltration, and covert remote access. The campaign prioritizes continuous intelligence collection while maintaining a low operational footprint and minimal user visibility.

While attribution remains inconclusive, the artifacts strongly suggest a deliberate intelligence-gathering operation likely targeting Russian-speaking individuals or entities.

Key Takeaways

• The LNK file contains self-obfuscated content that is extracted and executed by PowerShell, using a deliberate technique to evade automated sandbox analysis.
• Multiple lure types themed around humanitarian aid, written in Russian, have been observed, suggesting the intended targets are Russian-speaking individuals, and the threat actor is actively adapting delivery approaches.
• The payload is obfuscated using PyArmor and hosted on GitHub Releases, a deliberate combination to evade static detection and bypass network-level security controls.
• During analysis, the implant was observed collecting browser credentials, session cookies, keystrokes, clipboard data, screenshots, Telegram session data, and sensitive files from the victim's machine.
• Remote desktop access is established silently using RustDesk or AnyDesk, giving the attacker persistent interactive access to the victim's machine with no visible window.
• Persistence is achieved through a Windows Scheduled Task that survives system reboots, ensuring the implant remains continuously active in the background.
• The threat actor behind this campaign has not been conclusively attributed. The campaign uses a surveillance-first, PE-less Python architecture and custom C2 infrastructure, consistent with a targeted espionage operation.

Technical Analysis

This section provides a detailed walkthrough of the attack chain, from initial delivery to payload execution and data collection, based on static and dynamic analysis of the identified samples.

Stage 1: Malicious LNK File Delivery

The infection begins with a Windows shortcut file delivered to the target.

SHA-256

8a100cbdf79231e70cee2364ebd9a4433fda6b4de4929d705f26f7b68d6aeb79

The LNK file is significantly larger than a typical Windows shortcut, as it contains self-obfuscated Unicode content embedded within its body. PowerShell reads this content from a specific offset, decodes it, and executes it in memory. This is a deliberate anti-sandbox technique, as the malware will not execute if the original file is absent from disk, making it appear clean to automated scanning tools.

Stage 2: Decoy Lure Delivery

Upon execution, the malware downloads a Russian-language humanitarian aid request form ("O predostavlenii gumanitarnoy pomoshchi") from the C2 server, saves it to %TEMP%\open_doc, and displays it to the victim. The lure of both the RAR archive and the LNK file reference humanitarian aid, reinforcing the lure's credibility.

Lure PDF URL

hxxp://159.198.41[.]140/static/builder/lnk_uploads/invo.pdf

Saved To

%TEMP%\open_doc

While the victim reads the document, the real installation runs silently in the background. A second variant involving a survey link (hxxp[:]//159.198.41.140/test/index.php?r=survey/index&sid=936926&newtest=Y&lang=ru%22) has also been observed.

Stage 3: Python Environment Bootstrap

The malware creates a fully self-contained Python environment inside the user's %appdata% folder, requiring no administrator privileges.

Installation Path

%APPDATA%\WindowsHelper

`The installation directory is named WindowsHelper to mimic a legitimate Windows system component. The malware correctly handles a known technical requirement for Python's embedded distribution (patching the ._pth file to enable pip), a detail that reflects genuine developer skill. The following Python libraries are installed, each enabling a specific capability:

Stage 4: Payload Download and Persistence

The main payload is downloaded from a dedicated GitHub account. Storing it in GitHub Releases rather than the repository code is a deliberate evasion choice, as release artifacts receive less scrutiny from automated scanners and updates can be pushed silently with no commit history. The same account also hosts clean, legitimate files, including the Python embedded runtime and pip installer, making the entire download chain appear as normal GitHub traffic.

Beyond the malicious payload, the same GitHub account also hosts the Python embedded runtime (python-3.12.10-embed-amd64.zip) and the pip installer (get-pip.py) as separate release tags. These are clean, legitimate files. Hosting them on the same repository allows the attacker to download and bootstrap the entire Python environment from a single trusted source, making the full installation chain appear as normal GitHub traffic to network monitoring tools.

The attacker's GitHub Release page shows frequent republishing of data.zip, with its sha256 hash changing across versions, confirming the threat actor remains active and is continuously updating the campaign payload.

Persistence

Two silent VBScript launchers, run.vbs and launch_module.vbs, invoke the payload through pythonw.exe with no visible window.

A Windows Scheduled Task named “WindowsHelper” is registered to run at a short recurring interval, ensuring the implant persists across reboots and remains continuously active in the background.

Stage 5: Active Payload Capabilities

The main payload, module.pyw, is protected with PyArmor v9.2 Pro, a commercial obfuscation tool that converts Python bytecode into a format that resists static analysis and decompilation. Analysis of the disassembled bytecode revealed the following active capabilities:

Browser Credential and Cookie Collection

The implant collects stored passwords and session cookies from all major Chromium-based browsers, including Firefox. For Chromium browsers, it extracts the AES-GCM master key from the Local State file and uses it to decrypt stored credentials. It handles both legacy DPAPI-based decryption and newer Chrome encryption schemes (v10, v11, and v20).

• Target browsers: Chrome, Edge, Brave, Opera, Yandex Browser, Firefox
• Functions identified in bytecode: get_master_key, decrypt_chromium_data, extract_chromium_passwords, collect_and_send_cookies, extract_login_data, extract_firefox_passwords

Keylogging

Keystrokes are captured continuously via the keyboard library, stored in keystrokes_log.txt, and periodically uploaded to the C2 server.

Clipboard Monitoring

The malware monitors clipboard contents in real time using the pyperclip library. Any text copied by the victim, including passwords, tokens, and other sensitive content.

Screenshot Capture

The mss library captures continuous desktop screenshots, which are archived as ZIP files and uploaded periodically. Old archives are automatically cleaned up to avoid excessive disk usage.

File Collection

The implant recursively scans user directories, skipping system folders and low-value file types, to collect documents, configuration files, and credential stores.

This selective filtering is designed to identify high-value files, including documents, configuration files, source code, and credential stores on the Desktop, in Documents, and similar user locations.

A SQLite database inventory_state.db tracks scanned files to avoid re-uploading unchanged content. Files are also scanned for 64-character hexadecimal strings consistent with cryptocurrency private keys.

Telegram Session Collection

The tdata session folder is extracted and uploaded, giving the attacker full access to the victim's Telegram account without requiring a password.

Remote Access via RustDesk and AnyDesk

Static analysis of the payload reveals the capability to silently download and install RustDesk and AnyDesk. RustDesk, signed by Open Source Developer Huabing Zhou, is a legitimate remote desktop tool that is being abused here to blend in with normal software. The code is designed to hide the application window from the victim and to send the connection credentials back to the C2 server, potentially giving the attacker persistent remote desktop access.

RustDesk download source

hxxps://github.com/rustdesk/rustdesk/releases/download/1.4.4/rustdesk-1.4.4-x86_64.exe

Command and Control Infrastructure

All collected data is transmitted to a single attacker-controlled server. The server hosts a custom-built login panel (Login - Dashboard) that the attacker can use to access all collected data, monitor active implants, and initiate remote desktop sessions.

C2 Server

hxxp://159.198.41[.]140

Server Stack

nginx/1.24.0 on Ubuntu Linux, Flask 3.1.3 backend, Python 3.12.3

Hosting Provider

Namecheap, Inc. (web-hosting.com VPS) - ASN 22612, Atlanta, GA, USA

Upload Endpoint

/upload

Tunnel Endpoint

/tunnel (RustDesk proxy)

User-Agent Spoofed

Mozilla/5.0 (Windows NT 10.0; Win64; x64) ... Chrome/143.0.0.0 ... Edg/143.0.0.0

The C2 server was confirmed live and serving the attacker's login panel as of May 2026. The use of a commercial VPS provider with low-friction provisioning reflects a common pattern among threat actors seeking to quickly deploy and replace infrastructure.

Attribution:

The intended targets of this campaign appear to be Russian-speaking individuals, as evidenced by the Russian-language lure content referencing humanitarian aid. The use of a humanitarian aid application form as a decoy suggests the targets may include individuals or organizations involved in aid distribution, civil administration, or related government functions.

Conclusion

This campaign represents a well-constructed, technically capable cyberespionage operation. The attacker combines a convincing Russian-language humanitarian aid lure with a multi-stage infection chain that silently deploys a full-featured surveillance platform on victim machines.

The Python implant goes beyond credential collection. It enables the attacker to monitor every action a victim takes, collect active browser sessions, capture communications, and maintain live remote desktop access.

The use of PyArmor v9.2 Pro for payload obfuscation, GitHub Releases for payload hosting, and a custom Flask C2 panel demonstrates a technically skilled and operationally disciplined threat actor.

The campaign is active and ongoing. The Russian-language lure content and humanitarian aid theme point to Russian-speaking individuals as the intended target audience.

The use of multiple lure types, particularly humanitarian ones, indicates active development and adaptation. Organizations and individuals should treat this as an active threat and apply the recommendations in this report.

Recommendations

• Treat unsolicited files received through email or messaging platforms with caution, especially compressed archives and shortcut files. Verify the sender through a separate trusted channel before opening any attachment.
• Enable file extension visibility in Windows to prevent files from being disguised using misleading names or double extensions.
• Regularly audit the Windows Task Scheduler for unexpected or newly created tasks, particularly those scheduled to run at short, recurring intervals without a known business justification.
• Monitor endpoint activity for the creation of self-contained scripting environments in user-writable directories, as this is a common technique for executing malicious code without administrative privileges.
• Block outbound network traffic to known malicious infrastructure at the perimeter and alert on downloads from newly registered or low-reputation hosting accounts on code-sharing platforms.
• Monitor for the silent installation of remote desktop tools by non-administrative processes, as legitimate software abused for remote access is a growing attacker technique that can be difficult to detect without process-level visibility.
• Deploy endpoint detection rules targeting obfuscated or packed script files appearing in non-standard user directories, as commercially packed payloads are increasingly used to evade static analysis.
• Ensure security teams have visibility into scheduled task creation, scripting interpreter activity, and outbound HTTP connections from user-space processes, as these are the primary indicators of this class of threat.

MITRE ATT&CK TTPs

Tactic (Tactic ID)	Technique (Technique ID)	Description
Initial Access (TA0001)	Phishing: Spearphishing Attachment (T1566.001)	Malicious LNK file inside a RAR archive, delivered as a Russian-language humanitarian aid
Execution (TA0002)	User Execution: Malicious File (T1204.002)	The victim must open the LNK file to trigger the infection chain
Execution (TA0002)	Command and Scripting Interpreter: PowerShell (T1059.001)	PowerShell reads content from a specific offset within the LNK file and executes the obfuscated payload
Execution (TA0002)	Command and Scripting Interpreter: VBScript (T1059.005)	run.vbs and launch_module.vbs silently invokes the Python payload with no visible window
Execution (TA0002)	Command and Scripting Interpreter: Python (T1059.006)	Core surveillance implant written in Python, executed via windowless pythonw.exe
Persistence (TA0003)	Scheduled Task/Job: Scheduled Task (T1053.005)	WindowsHelper scheduled task fires every 5 minutes indefinitely and survives system reboots.
Defense Evasion (TA0005)	Obfuscated Files or Information: Software Packing (T1027.002)	Python payload packed with PyArmor v9.2 Pro to resist static analysis and decompilation
Defense Evasion (TA0005)	Masquerading: Match Legitimate Name or Location (T1036.005)	WindowsHelper directory name mimics a legitimate Windows system component
Defense Evasion (TA0005)	Ingress Tool Transfer (T1105)	Payload (data.zip) downloaded at runtime from GitHub Releases, abusing trusted infrastructure.
Credential Access (TA0006)	Credentials from Password Stores: Credentials from Web Browsers (T1555.003)	Collects stored passwords and cookies from Chrome, Edge, Brave, Opera, Yandex Browser, and Firefox
Credential Access (TA0006)	Steal Web Session Cookie (T1539)	Session cookies collected
Credential Access (TA0006)	Unsecured Credentials: Credentials in Files (T1552.001)	Scans for files containing 64-character hex strings consistent with private keys
Collection (TA0009)	Input Capture: Keylogging (T1056.001)	The keyboard library captures all keystrokes continuously and stores them for upload.
Collection (TA0009)	Clipboard Data (T1115)	pyperclip monitors and collects clipboard contents in real time
Collection (TA0009)	Screen Capture (T1113)	mss library takes continuous desktop screenshots and archives
Collection (TA0009)	Data from Local System (T1005)	A selective recursive scan collects documents and configuration files from user directories.
Command and Control (TA0011)	Application Layer Protocol: Web Protocols (T1071.001)	HTTP used to upload all collected data to the C2 server at 159.198.41[.]140
Lateral Movement / Persistence (TA0008)	Remote Access Software (T1219)	RustDesk and AnyDesk are silently installed for persistent interactive remote desktop access.
Exfiltration (TA0010)	Exfiltration Over C2 Channel (T1041)	All collected data was uploaded to the attacker-controlled C2 server in batched archives.

Indicators of Compromise (IOCs)

Indicator	Indicator Type	Description
8a100cbdf79231e70cee2364ebd9a4433fda6b4de4929d705f26f7b68d6aeb79	SHA-256	Initial LNK dropper
9be61c95056fd6b63565cf51a196f2615f5360c0a42e616b2a618473e9d60a21	SHA-256	Dementyeva_Anna_Vasilyevna_zayavka_gumanitarnayapomosch.rar
hxxp://159.198.41.140/static/builder/lnk_uploads/invo[.]pdf	URL	Lure PDF download
hxxp://159.198.41.140/test/index.php?r=survey/index&sid=936926&newtest=Y&lang=ru%22	URL	Survey URL
hxxps://github.com/leravalera2/dtfls/releases/download/dtfls/data.zip	URL	PyArmour packed malicious scripts
a5b782901829861a6f458db404e8ec1a99c65a48393525e681742bb2a5db454d	SHA-256	module.pyw - packed Python stealer/RAT

The post Operation HumanitarianBait: An Infostealer Campaign in Disguise appeared first on Cyble.

Executive Summary

Cyble Research and Intelligence Labs (CRIL) identified a campaign of over 16,800 malicious domains active since early 2026. It uses a potent technique — embedding government labels as subdomains to fake trust without DNS authority. We have dubbed this 'Operation TrustTrap'.

Spoofed portals resolve to infrastructure concentrated across Tencent Cloud and Alibaba Cloud APAC nodes, impersonating citizen-facing government services across several US states, with targeting extending into India, Vietnam, and UK-adjacent geographies. A distinct infrastructure cluster within the dataset we investigated carries TTPs consistent with APT36.

The campaign's sophistication isn't in technical exploits but in exploiting how humans interpret web addresses. Attackers no longer compete with security controls at the binary level but target the cognitive layer—when a user's eye scans a URL and decides whether to click.

Key Takeaways

• 16,800 unique malicious domains identified across major US states and agencies
• Domains weaponize the visual trust of "*.gov" by positioning it in non-root subdomain positions
• Three distinct obfuscation classes: subdomain injection, hyphen manipulation, and combined abuse
• Infrastructure clustering reveals overlapping IPs concentrated in Tencent Cloud ASNs (China)
• Campaign extends beyond the US to India, Vietnam, and NHS-themed lures in the UK
• Over 62% of these domains had very few detections on VirusTotal
• Registrar concentration: Gname.com Pte. Ltd. dominant; TLDs of choice were .bond, .cc, .cfd
• Infrastructure and TTPs show consistency with known government-targeting threat clusters
• A distinct APT36-consistent infrastructure cluster identified within the dataset targeting Indian Government Entities

Campaign overview

Campaign Start	Early 2026
Primary Objective	Credential and payment card harvesting via government portal impersonation
Targeted Regions	United States, India, Vietnam, UK-Adjacent
Impersonated Entities	National or State portals, toll systems, vehicle registration services
Primary Hosting	Tencent Cloud, Alibaba Cloud APAC
Primary Registrar	Gname.com Pte. Ltd., Dominet (HK) Limited, NameSilo LLC
TLD Profile	.bond (51.6%), .cc (20.3%), .cfd (13.1%), .top (3.0%), .click (2.8%)
Domain Obfuscation Techniques	Subdomain trust injection, hyphen-based semantic disruption, deliberate state-name typosquatting, and combined obfuscation with contextual amplifiers
Key Behavior	Spoofed government portals engineered to exploit visual trust in .gov-containing URLs; domains position legitimate government tokens in non-root subdomain positions to bypass blocklist and regex detection; victims directed via SMS or email lures to fake portals mimicking citizen-facing services; designed for credential and payment card harvesting
APT groups	APT36 (Transparent Tribe)

A routine sweep by Cyble Research and Intelligence Labs (CRIL) uncovered a coordinated infrastructure of over 16,800 malicious domains. These domains were designed to make fraudulent URLs appear as government websites.

Our expanded search yielded infrastructure correlation, registrar clustering, certificate metadata, and shared hosting IP analysis. The campaign grew from dozens to thousands of domains, ultimately producing a dataset of 16,800 confirmed malicious domains with a consistent construction logic.

What Are These Domains Actually Used For?

Though several domains appear to be benign at the point of registration — serving no active content — they function as a pre-provisioned operational reserve. Domains are registered in bulk and held dormant until a campaign wave is triggered. At this point, they are rapidly activated to host government-themed phishing portals designed to harvest credentials and device information.

A subset operates as staging infrastructure, dynamically loading second-stage payloads — credential exfiltration endpoints or malicious scripts — after the victim has already landed on the spoofed page. This separation between the delivery domain and the payload host is deliberate: it keeps the user-facing URL clean while the actual malicious logic lives one layer deeper, significantly narrowing the window for detection and takedown.

Targeting Geography: Who Is Being Impersonated?

Analysis of the 16,800 domains reveals a heavily US-centric campaign, with systematic coverage of virtually every US state. The targeting is not random — it skews toward states with high-volume citizen-facing digital services, particularly Department of Motor Vehicles (DMV) portals, toll payment systems, and vehicle registration renewals. These are services characterized by time-sensitive transactions, financial exchange, and strong citizen familiarity — ideal conditions for social engineering.

Top Targeted US Entities

Entity / State	Impersonation Pattern	Domain Count
Washington State	wa.gov-[id].*, www.wa.gov-[id].*	797
California	ca.gov-[id].*, california.gov-[id].*	722
Florida (FLHSMV)	flhsmv.gov-[id].*, flhsmu.gov-[id].*	722
Georgia	georgia.gov-[id].*, ga.gov-[id].*	715
Massachusetts	mass.gov-[id].*, www.mass.gov-[id].*	697
Michigan	michigan.gov-[id].*, mi.gov-[id].*	591
Arizona	az.gov-[id].*, arizona.gov-[id].*	494
Colorado	colorado.gov-[id].*, co.gov-[id].*	440
Texas	tx.gov-[id].*, txdmv.gov-[id].*	414
Oklahoma	oklahoma.gov-[id].*, ok.gov-[id].*	399

Beyond the United States: International Footprint

While the campaign is overwhelmingly US-focused, CRIL identified targeting extending into at least three additional geographies:

The variants targeting India are particularly noteworthy from a threat intelligence perspective. The pattern www.in.gov-[id].bond specifically mimics the structure of Indian government portals (which use the *.gov.in TLD convention) through subdomain injection — consistent with the analytical framework CRIL has described as trust-token positioning attacks.

Registrar Dominance

Gname.com remains dominant, but two additional registrars were identified across the extended dataset.

Dominet (HK) Limited, a Hong Kong-based registrar with a documented history of abuse across multiple phishing campaigns, accounts for 10.5% of the analyzed domains.

NameSilo, LLC accounts for a small fraction. Still, its presence alongside the primary registrars suggests the operator is diversifying provisioning sources, likely to reduce the risk of bulk registrar-level takedowns.

REGISTRAR	SHARE
Gname.com Pte. Ltd.	70.3%
Unknown / Redacted	18.4%
Dominet (HK) Limited	10.5%
NameSilo, LLC	0.8%

The concentration of infrastructure in Tencent and Alibaba Cloud ASNs is a notable attribution signal. The registrar pattern, particularly the dominance of Gname.com, a Singapore-based registrar with a significant Chinese customer base, combined with the APAC IP clustering, points to an operator or operator group with consistent access to low-cost Chinese cloud infrastructure.

Operational Lifecycle

Domains observed returning active HTTP 200 responses and live phishing content in early April 2026 were fully unresolvable by late April 2026.

This confirms the rapid rotation lifecycle the campaign relies on: domains are activated for a narrow operational window and then abandoned or rotated, deliberately narrowing the time available for detection, blocklist addition, and takedown.

Deceptive Domain Spoofing: Core Technique Breakdown

Technique 1: Subdomain Trust Injection

The most prevalent technique in the dataset involves embedding a legitimate-looking government domain token — such as mass.gov, wa.gov, or az.gov — in the leftmost subdomain position of a fraudulent domain.

The critical structural insight: in every legitimate government URL, the .gov component appears as a top-level domain directly before the rightmost domain separator. In the malicious variants, gov appears as part of a subdomain label. The DNS authority rests entirely with the registrant of the rightmost domain — not with any government entity.

Technique 2: Hyphen-Based Semantic Manipulation

A second class of obfuscation weaponizes the hyphen character to break known trust tokens into subtly altered, yet visually similar, forms. By inserting hyphens at strategic positions within familiar government identifiers, attackers construct strings that resist regex-based detection while remaining legible to the human eye.

Technique 3: Combined Obfuscation Strategy

The domains in this dataset combine both techniques: subdomain trust injection with hyphen manipulation, alongside innocuous-sounding benign word insertion. This layered approach maximizes deception while minimizing the technical footprint:

Active Phishing URL Structure

Active phishing URLs observed across the infrastructure consistently used a double-query-string parameter pattern: ?var1=xxxxx?var2=xxxxx.

This structure serves as a session-tracking mechanism, assigning unique identifiers to individual victims to monitor engagement. Its consistent use across hundreds of URLs confirms an organized, kit-driven operation rather than manually managed individual campaigns.

Path structures observed across active URLs confirm the agency-specific targeting:

• /dmv (Department of Motor Vehicles)
• /mvd (Motor Vehicle Division)
• /dol (Department of Licensing)
• /dot (Department of Transportation)
• /mve (Motor Vehicle Enforcement)
• /mvc (Motor Vehicle Commission)
• /rmv (Registry of Motor Vehicles)

Each path maps to the specific agency being impersonated by the subdomain prefix.

Some of the examples of active phishing portals are shown below (see Figure 5 and Figure 6)

APT36 Infrastructure Cluster: Attribution Signals

During infrastructure correlation, CRIL identified a distinct cluster of domains exhibiting TTPs consistent with APT36 (also tracked as Transparent Tribe, ProjectM, and TEMP.Lapis) — a Pakistan-nexus threat actor with a well-documented history of targeting Indian government entities, defense personnel, and diplomatic infrastructure.

The attribution is assessed with moderate-to-high confidence based on the convergence of the following signals across the cluster:

• Campaign overlap: Lure themes targeting Indian government portals align directly with APT36's documented preference for spoofing Indian ministry and defense-adjacent web properties
• Infrastructure reuse: Shared hosting IPs (particularly within the Tencent Cloud and Alibaba APAC ASN ranges) overlap with previously documented APT36 staging infrastructure observed in 2024–2025 campaigns
• TLD and registrar pattern: The .bond and .cc TLD preference, combined with Gname.com registration, is consistent with APT36's known operational playbook for disposable domain provisioning
• Target geography correlation: The India-specific trust injection pattern reflects the threat actor with specific knowledge of how Indian government URLs are structured (*.gov.in) and how to exploit that structure visually
• Subdomain construction logic: The random suffix characters mirror the automated domain-generation behavior documented in prior APT36 bulk registration events.

Conclusion

Operation TrustTrap is a coordinated campaign involving 16,800 malicious domains across all US states, as well as India, Vietnam, and the UK, often using UK-themed lures.

The campaign exploits visual and cognitive trust mechanisms rather than technical vulnerabilities, rendering traditional detection methods ineffective.

The shift from domain spoofing to trust-layer manipulation represents a meaningful evolution in adversarial capability that demands a corresponding evolution in defensive architecture. Pattern-driven discovery, eTLD+1-aware detection tooling, intent-based domain risk scoring, and revised security awareness programs are the pillars of an adequate response.

CRIL will track this campaign cluster and update IoCs as new infrastructure emerges. All indicators have been submitted to Cyble's threat feeds and are accessible to Vision platform customers for blocking and correlation.

Organizations, especially those in US state governments, transportation agencies, and DMV-like services, should view this campaign as an active threat and prioritize detection and review against the failure modes outlined in this report.

Recommendations

Based on the findings presented above, CRIL recommends the following actions for immediate consideration by security teams and organizations:

• Implement eTLD+1-aware URL parsing across all email security, proxy, and endpoint controls.
• Build or acquire detection rules that evaluate the structural position of government trust tokens, not merely their string presence.
• Apply domain risk scoring that weights registrar identity, TLD, hosting ASN, and domain registration age as compounding signals.
• Integrate campaign-cluster pivoting from confirmed IoCs into threat hunting workflows, using shared IP resolution as the primary pivot axis.
• Revise security awareness materials to teach structural URL interpretation, with a specific focus on identifying the root registered domain as distinct from subdomain labels.
• For organizations in the transport, DMV, and toll payment space: issue proactive user advisories advising that official payment communications will never be delivered via SMS with embedded URLs.

The need for a proactive cyberdefense stance

The current threat landscape includes a multitude of Social Engineering campaigns. Security teams need more than reactive controls to keep ahead of these.

Solutions such as Cyble Vision deliver operational intelligence that enables defenders to stay ahead of adversaries through early detection, campaign-level visibility, and infrastructure mapping.

Cyble Vision specifically empowers security teams to move beyond isolated detection, providing the strategic insight needed to anticipate threats, monitor adversary activity, and respond with precision at every stage of the attack lifecycle. Security teams can take necessary preventive action with the help of:

• Real-Time IOC Monitoring
  Enable continuous tracking of indicators tied to adversary infrastructure, before they reach end users.
• Credential Phishing Infrastructure Mapping
  Map attacker-controlled infrastructure, including fake authentication portals, dynamic exfiltration endpoints, and backend logic designed to capture credentials.
• Brand and Executive Impersonation Monitoring
  Detect domain spoofing and impersonation attempts targeting internal functions such as HR and Finance—often used to increase trust and exploit user familiarity.
• Deep and Dark Web Visibility
  Surface chatter, leaked credentials, and phishing toolkits from deep/dark web sources, offering early insight into attacker preparation and target selection.
• Global Targeting Intelligence
  Track phishing activity across global regions—including North America, EMEA, and APAC—as well as over 70 industry sectors, providing defenders with contextual understanding of targeting patterns.
• Threat Actor Attribution and TTP Correlation
  Associate infrastructure, techniques, and behavioral patterns with known threat actors, empowering security teams to prioritize response based on adversary capability and intent.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Procedure
Resource Development	T1583.001 – Acquire Infrastructure: Domains	Mass registration of lookalike government domains across .bond, .cc, and .cfd TLDs via low-cost registrars.
Initial Access	T1566.002 – Phishing: Spearphishing Link	Delivery of malicious URLs via SMS (smishing) and email, leveraging government-themed lures to redirect victims to spoofed portals.
Credential Access	T1598.003 – Phishing for Information: Spearphishing Link	Credential harvesting through fake government service portals such as DMV, toll payments, and vehicle registration sites.
Defense Evasion	T1036.005 – Masquerading: Match Legitimate Name or Location	Embedding legitimate .gov-like tokens within domain structures to impersonate trusted government infrastructure.
Command and Control	T1071.001 – Application Layer Protocol: Web Protocols	Use of HTTPS with TLS certificates from low-cost issuers to make phishing and exfiltration infrastructure appear legitimate.
Resource Development	T1584.001 – Compromise Infrastructure: Domains	Use of APAC-based cloud providers (e.g., Tencent, Alibaba Cloud) to host phishing infrastructure with rapid scaling and deployment.

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

The post Operation TrustTrap: Anatomy of a Large-Scale Deceptive Domain Spoofing Campaign appeared first on Cyble.

Executive Summary

Cyble Research and Intelligence Labs (CRIL) has been monitoring a significant surge in the use of “MiningDropper”, a sophisticated Android malware delivery framework that combines cryptocurrency mining capabilities with the deployment of infostealers, Remote Access Trojans (RATs), and banking malware.

MiningDropper employs a multi-stage payload delivery architecture that combines XOR-based native obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques. This layered design enables threat actors to evade static detection, delay analysis, and dynamically control the delivery of the final payload.

Our analysis indicates that MiningDropper is being actively leveraged across multiple campaigns, with a particularly notable infostealer campaign targeting Indian users, alongside a BTMOB RAT campaign affecting LATAM, Europe, and Asia.

Additionally, large-scale telemetry analysis shows widespread distribution with low detection rates, highlighting the effectiveness of its evasion techniques and the rapid reuse of its modular architecture across campaigns.

Key Takeaways

• MiningDropper is a multi-stage Android malware delivery framework that combines cryptocurrency mining activity with the deployment of additional malicious payloads.
• The recently identified MiningDropper variant leverages a trojanized version of the open-source Android application project “Lumolight”.
• Dropper implements layered obfuscation (XOR + AES) and native code execution to evade detection and hinder analysis
• Uses a state-driven payload execution, initially deploying a miner before transitioning to user-defined payloads
• Actively used in phishing campaigns impersonating RTO services, banks, telecom providers, and popular applications
• Delivers malware payloads, including infostealers and BTMOB RAT, capable of full device compromise
• Over 1,500+ samples observed, with more than 50% exhibiting low antivirus detection, indicating ongoing evasion and rapid campaign scaling

Dropper Characteristics

Category	Description
Type	Multi-stage dropper
Capabilities	Crypto mining
Infection Vector	Smishing, Social Media, and Fraudulent Websites
Initial Payload	Trojanized LumoLight application
Final Payloads	Infostealer, RAT, Banking Trojan
Obfuscation Techniques	XOR-based string obfuscation in native code, AES-encrypted asset files
Target Region	Asia, Europe, LATAM

Overview

Recently, CRIL observed a notable surge in the use of MiningDropper (also referred to as BeatBanker) as an adaptable malware delivery framework for distributing infostealers, Remote Access Trojans (RATs), and banking malware.

The threat actor employs a multi-stage payload architecture that incorporates XOR-based native-string obfuscation, AES-encrypted payload staging, and anti-emulation techniques, significantly complicating detection and analysis.

Our investigation revealed that MiningDropper is actively leveraged across multiple campaigns, with particularly notable activity observed in two primary campaign clusters:

Infostealer Campaign

This campaign primarily targets users in India by impersonating:

• Regional Transport Office (RTO) services
• Banking institutions
• Telecom providers

In October 2025, Cyble analyzed a campaign that used RTO services as a lure, during which multiple malware variants were identified, including one that used MiningDropper. In its more recent variant, MiningDropper incorporates native code along with a trojanized open-source application.

In this campaign, victims are lured to download malicious APK files via phishing websites or social media platforms, ultimately leading to the deployment of infostealer payloads designed to harvest sensitive user and financial data.

The following sites were identified as distributing MiningDropper as part of an infostealer campaign:

• hxxps://cardcpp[.]online/imobile.apk
• hxxps://hamzaansari1612-ux[.]github.io/ICICI00/imobile.apk
• hxxps://getchaiian[.]short.gy/Getchallan0176
• hxxps://raw.githubusercontent[.]com/singhsonali3021-pixel/my-apk/main/ICICI%20BANK%20CREDIT%20CARD.apk
• hxxps://cardhelp[.]live/SBICreditCard.apk
• hxxps://downloadhdfcapp[.]pythonanywhere.com/download/latest.apk
• hxxps://protectcc[.]online/imobile.apk
• hxxps://dkfootwearstore[.]shop/Jio%20Free%20Recharge.apk
• hxxps://www.icicimanagecards[.]online/iMobile%20Lite.apk

BTMOB RAT Campaign

The second campaign distributes MiningDropper via fraudulent sites targeting users across:

• Europe
• Latin America
• Asia

In this case, the dropper delivers BTMOB RAT, a full-featured Android remote access trojan. We first identified BTMOB RAT in February 2024 as a variant of the SpySolr malware, capable of credential harvesting, device takeover, real-time remote control, and facilitating financial fraud operations.

At the time of its initial discovery, the malware was distributed without a packer and was detected by multiple antivirus products. However, in recent campaigns this year, BTMOB RAT is being distributed via MiningDropper, significantly reducing its detection footprint to as few as 1–3 detections.

The following phishing sites were identified as distributing MiningDropper as part of a BTMOB RAT campaign:

• hxxps://www[.]kavoutai[.]com/signed[.]apk
• hxxps://free-secure[.]com/Free%20Secure%20-%20Annulation[.]apk
• hxxps://litter[.]catbox[.]moe/o6pxvp[.]apk
• hxxps://tv-pluto[.]vercel[.]app/PlutoTv[.]apk
• hxxps://www[.]dl[.]dropboxusercontent[.]com/scl/fi/r9d5y9ch1k7dwvw6l36rj/TecnoCasaFotosPiso[.]apk?rlkey=z6n2qvft8v3nzm66fgy6acwcx
• hxxps://googleeplaaystore[.]pages[.]dev/assets/AGENDA2026[.]apk

Over the past month, we identified more than 1,500 MiningDropper samples in the wild, highlighting the rapid proliferation and reuse of this malware framework. Detection telemetry reveals:

• A majority of samples cluster at very low detection rates, with over 50% exhibiting minimal antivirus coverage, indicating effective evasion techniques
• The largest concentration of samples (~668) shows only 3 AV detections, suggesting widespread undetected distribution

These observations underscore that MiningDropper is not merely another Android dropper, but a scalable malware-as-a-framework, enabling threat actors to efficiently deploy diverse payloads while maintaining a low detection footprint.

A detailed technical analysis is presented in the following section.

Technical Analysis

MiningDropper employs a multi-stage, modular architecture combining native code, dynamic loading, staged decryption, and configuration-driven payload delivery. Each stage progressively unpacks the next payload while minimizing static exposure and hindering detection.

For the technical analysis, we analyzed the APK “Free Secure - Annulation.apk” (58a94f889547db8b2327a62e03fb2cce3bda716278d645ee8094178ecda2e9e6), which is being distributed via a phishing site “hxxps://free-secure[.]com/Free%20Secure%20-%20Annulation.apk”.

Initial Native Stage

The threat actors appear to have trojanized the open-source Android application project “LumoLight.” The malicious activity is executed via the application subclass, which loads the native library “librequisitionerastomous.so.” This library contains XOR-obfuscated strings that are decrypted at runtime, a technique used to hinder static analysis and evade automated detection mechanisms.

After decrypting the strings from the native code, it is evident that the native library has implemented anti-emulation techniques. The application checks platform details, system architecture, and device model information to determine whether it is running on an emulator.

If an emulated or rooted environment is detected, the malware terminates its malicious execution.

The native library is also responsible for decrypting and executing the first-stage payload from the APK’s assets directory. The asset “x7bozjy2pg4ckfhn” is decrypted using a long hardcoded XOR key, producing the first-stage DEX payload.

After decrypting the first-stage payload, the native code dynamically loads the DEX file using DexClassLoader and invokes the malicious class “com.example.virusscanbypassbootstrapper.DexLoader.”

First Stage Payload

The decrypted first-stage payload acts primarily as a bootstrap loader. Its main purpose is to receive execution from the native library, decrypt the next-stage payload, and execute it. This stage contains a loadDex() method that decrypts the second-stage payload and executes it via dynamic code loading.

The first stage retrieves the encrypted second-stage file “4ozvcznaamqmioqf/sorxbqp8” from the assets folder and decrypts it using AES.

The AES key is derived from the first 16 bytes of the SHA-1 hash of the filename sorxbqp8, showing that the TA uses filename-derived key material rather than storing raw AES keys directly.

This approach slightly increases analysis effort because the decryption key must be reconstructed from the naming logic rather than extracted as a static constant.

After decryption, the first stage loads the recovered second-stage dex using Dex Class Loading.

Second Stage Payload

The second-stage payload is the most visible portion of the chain from the victim’s perspective. It presents a fake Google Play update interface that deceives the user into believing a legitimate update or service repair is underway.

This stage effectively serves as the social-engineering layer of the infection flow, masking the malicious installation behind a familiar Android/Google-themed update prompt.

In addition to the visual lure, the second stage loads the class com.qnez.sarcilistranscendingly.App responsible for decoding and orchestrating the remaining stages. This component decrypts the file “jajmanpongids” using AES, again deriving the key from the first 16 bytes of the SHA-1 hash of the filename plus the suffix 1.

In this case, the effective key material is based on jajmanpongids1. The decrypted output is a ZIP archive that contains the third-stage installer components.

Based on the observed code paths, the malware operates in two distinct modes: one linked to the “miner” component and the other to a “user payload.”

The behavior indicates that the second-stage payload initially activates the miner module, then transitions state—either upon completion or failure—and then executes the user-defined payload.

This distinction highlights that the campaign is built to support flexible, multi-purpose monetization rather than a fixed single-payload approach.

The second stage also decrypts one of two configuration files from assets: “norweyanlinkediting” for the miner path or “udela” for the user-defined path. Both use the same AES pattern, with the key derived from the first 16 bytes of the SHA-1 hash of the filename plus 1.

For the user-defined payload, the decrypted configuration contains:

{"isRemoteControl": true, "isTestKeyEnabled": false, "splits": ["transnaturationsaxhorn", "mischanterperilling", "unwieldlyostearthritis"], "subscriptionEndMillis": 1777220616438, "messageAuthenticationCode": "HaZRwGj6UZDpqKSf43o/Cg==", "simpleInstaller": "deprecated"}

For the miner payload, the configuration contains:

{"isRemoteControl": false, "isTestKeyEnabled": false, "splits": ["bilbopseudomelanosis"], "subscriptionEndMillis": 4611686018427387903, "messageAuthenticationCode": "eVAmHju3UqrVWR56gOMaUQ==", "simpleInstaller": "deprecated"}

The third-stage payload uses these configuration files to identify which encrypted asset files correspond to the remote control payload and which are associated with the miner component.

Third Stage Payload

The third-stage payload is extracted from the decrypted ZIP archive “jajmanpongids.zip”, which contains the DEX file “enchantmentcrosses” along with ARM native libraries. Similar to earlier stages, this payload leverages native code and XOR-based string obfuscation to evade analysis.

Functionally, it operates as a split-APK installer module that reconstructs and installs the final payload package using components defined in the configuration.

Final Payloads

For the user-defined path, the third stage processes the three split entries listed in the configuration: transnaturationsaxhorn, mischanterperilling, and unwieldlyostearthritis. These files are present in the APK assets and are encrypted using the same AES pattern used elsewhere in the chain.

After decryption, the components are merged to reconstruct the final malicious package. In this sample, this merged payload is attributed to BTMOB RAT.

BTMOB RAT can perform multiple malicious activities, including credential theft via WebView-based injections, keylogging, and data exfiltration. It abuses Android Accessibility Services to gain extensive control over the device, enabling actions such as unlocking the device, simulating user interactions, and granting additional permissions.

Furthermore, it supports real-time remote control via WebSocket-based C2 communication, enabling attackers to monitor the infected device's screen in real time, manage files, record audio, and execute commands.

For the miner path, the third stage decrypts the single asset bilbopseudomelanosis, again using filename-derived AES key material. In this branch, the output is a standalone APK that handles cryptocurrency mining.

Taken together, the final stage design reveals that MiningDropper is better understood as a multi-payload Android delivery framework than a simple miner dropper.

The same loader family can deliver radically different end payloads with only configuration and asset changes, which explains how the campaign can scale across a large number of samples while maintaining a consistent core architecture.

Conclusion

MiningDropper demonstrates a layered, modular Android malware architecture designed to make static analysis difficult while giving Threat Actors flexibility in final payload delivery.

The malware combines a native bootstrapper, memory-only string deobfuscation, filename-derived AES decryption, staged DEX loading, configuration-driven payload delivery, and split APK reconstruction to install either a cryptocurrency miner or a more capable user-defined payload such as BTMOB RAT.

This design allows the threat actor to reuse the same distribution and installation framework across hundreds of samples while adapting the final monetization objective to operational needs.

Our Recommendations

We have listed some essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers follow the best practices given below:

• Install Apps Only from Trusted Sources:
  Download apps exclusively from official platforms, such as the Google Play Store. Avoid third-party app stores or links received via SMS, social media, or email.
• Be Cautious with Permissions and installs:
  Never grant permissions and install an application unless you're certain of an app's legitimacy.
• Watch for Phishing Pages:
  Always verify the URL and avoid suspicious links and websites that ask for sensitive information.
• Enable Multi-Factor Authentication (MFA):
  Use MFA for banking and financial apps to add an extra layer of protection, even if credentials are compromised.
• Report Suspicious Activity:
  If you suspect you've been targeted or infected, report the incident to your bank and local authorities immediately. If necessary, reset your credentials and perform a factory reset.
• Use Mobile Security Solutions:
  Install a mobile security application that includes real-time scanning.
• Keep Your Device Updated:
   Ensure your Android OS and apps are updated regularly. Security patches often address vulnerabilities exploited by malware.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Procedure
Initial Access (TA0027)	Phishing (T1660)	MiningDropper is distributed via phishing sites
Execution (TA0041)	Native API (T1575)	Dropper used native code to decrypt payloads
Defense Evasion (TA0030)	Obfuscated Files or Information (T1406)	Dropper stores the encrypted payload in the assets
Defense Evasion (TA0030)	Virtualization/Sandbox Evasion (T1633)	Dropper implemented anti-emulation techniques
Discovery (TA0032)	System Information Discovery (T1426)	Dropper checks the device information to identify the running environment

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

The post MiningDropper – A Global Modular Android Malware Campaign Operating at Scale appeared first on Cyble.

Executive Summary

CRIL has been actively tracking a surge in PXA Stealer activity deployed in a sophisticated, financially motivated threat campaign attributed with high confidence to a Vietnam-based cybercriminal group. The primary targets in this campaign are job seekers across India, Bangladesh, the Netherlands, Sweden, and the United States.

Threat actors leverage LinkedIn as their primary initial access vector, distributing fraudulent recruitment messages via compromised accounts that impersonate legitimate job opportunities.

What makes this threat particularly dangerous is the potential for propagation: compromising one’s LinkedIn account, especially with many connections (such as recruiters or HR personnel), can lead to an exponentially higher rate of further infection. This new trend requires users to be wary when using any social networking platform, even those for professional use.

The infection ultimately delivers a multi-stage information stealer designed to harvest sensitive data, including browser-stored credentials, cryptocurrency wallet information, two-factor authentication (2FA) tokens, hardware wallet artifacts, and email client credentials.

The attack chain demonstrates significant operational sophistication:

• Adversaries abuse trusted cloud and professional platforms—including LinkedIn, Google Forms, and Dropbox—to evade reputation-based security controls and increase victim trust.
• Execution relies on a legitimate Microsoft 365 binary leveraged for DLL sideloading, while the malicious DLL is artificially inflated to approximately 100 MB to bypass size-based inspection mechanisms.
• The final payload executes entirely in memory, minimizing disk artifacts and complicating forensic detection.

This sophistication makes PXA Stealer a potent threat to job seekers in the targeted countries, and the list of victims may expand in the near future.

At the time of analysis, the campaign remained active and continued to propagate laterally through compromised LinkedIn accounts, leveraging victims’ professional networks to further distribute job-themed phishing lures.

The image below shows the Malware profile summary for PXA Stealer from Cyble’s Vision Threat Intelligence.

The real-world impact of this lateral spread is evidenced by multiple LinkedIn users publicly reporting that their accounts were compromised and used to distribute fraudulent Apex Logistics Group recruitment messages to their professional connections, as shown below.

Key Takeaways

• Attribution: The campaign is attributed with high confidence to PXA Stealer, tied to a Vietnam-based cybercriminal actor. This is further supported by Vietnamese-language strings embedded within malware samples and overlaps with previously documented activity clusters.
• Initial Access Vector: Threat actors initiate compromise through LinkedIn direct messages, impersonating recruiters from a fabricated logistics entity, Apex Logistics Group, using job-themed social engineering lures.
• Payload Delivery Chain: Victims are redirected through a staged delivery workflow that includes a Google Form, followed by a shortened URL pointing to a Dropbox-hosted ZIP archive. The payload exhibited zero antivirus detections on VirusTotal at the time of discovery.
• Execution Mechanism: Malware executes via DLL sideloading using a legitimate, signed Microsoft Office binary (winword.exe), enabling trusted-process execution and reducing behavioral suspicion.
• Defense Evasion: The malicious DLL is artificially inflated to approximately 100 MB to evade size-threshold scanning mechanisms. The final payload executes entirely in memory through Python exec() functionality, leaving minimal disk artifacts during runtime.
• Command-and-Control (C2): The malware dynamically retrieves its C2 infrastructure from an encrypted Telegram channel. The final payload is hosted on an IP address configured to masquerade as Chinese government infrastructure, likely to hinder attribution and evade network reputation controls.
• Objectives: The infostealer’s primary objective is data theft, targeting a broad range of sensitive assets, including:
  • Browser credentials and session data
  • Cryptocurrency wallets and Ledger Live artifacts
  • Two-factor authentication (2FA) and authenticator data
  • Desktop and email client credentials

• Persistence Mechanism: Persistence is established via a scheduled task registered under a name mimicking a legitimate Microsoft Edge update process, blending malicious activity with normal system operations.

Overview

PXA stealer is tied to a Vietnam-linked threat actor who conducted a targeted campaign across multiple countries by impersonating recruiters on LinkedIn and distributing fabricated part-time job opportunities as social engineering lures.

Victims are guided through a staged delivery chain leveraging trusted platforms, including a Google Form, a shortened URL, and a Dropbox-hosted ZIP archive, allowing the malicious payload to evade reputation-based defenses and achieve zero detections on VirusTotal at the time of discovery.

Upon opening the archive, victims unknowingly executed a disguised Microsoft Word binary that initiated a DLL sideloading attack. The sideloaded DLL is artificially inflated to approximately 100 MB, a deliberate evasion technique designed to bypass automated file-scanning and size-threshold inspection mechanisms.

A concealed batch script subsequently deployed the next-stage payload, established persistence via a scheduled task masquerading as a legitimate Microsoft Edge update process. It launched the final infostealer entirely in memory. Execution relied on multiple layers of encoding—including XOR, Base64, bzip2, and zlib—to obscure payload functionality and minimize forensic artifacts on disk.

PXA Stealer: History and Evolution

PXA Stealer is not a new threat. First publicly documented by Cisco Talos in November 2024, it has undergone continuous, rapid evolution. What began as a straightforward Python-based infostealer has matured into a sophisticated, multi-stage operation backed by an organized criminal ecosystem. Understanding this evolution is critical to anticipating the threat actor's next moves.

The name PXA is tied directly to its original developer, Phan Xuan Anh (PXA), a Vietnamese national who commissioned a high school programmer to develop the malware in late 2024. Vietnamese law enforcement subsequently indicted 12 suspects in early 2026, including the student developer, as part of a global operation that had infected over 94,000 computers worldwide.

Period	Milestone / Version	Key Changes & Observed TTPs
Oct-24	Early Infrastructure Seeding	Telegram BotIDs created; initial Python-based stealer circulated in Vietnamese cybercrime Telegram channels ("Mua Bán Scan MINI"). Handle @LoneNone hardcoded in payload.
Nov-24	Public Discovery (v1.0)	Cisco Talos publishes first analysis. Targets: government & education sectors in Europe and Asia. Lure: phishing emails. Exfiltration via Telegram bot. Vietnamese-language strings confirmed.
Late 2024	Initial LinkedIn Campaign	Pivot to LinkedIn DMs impersonating recruiters. Delivery chain: LinkedIn → Google Form → shortened URL → Dropbox ZIP. Microsoft Office (winword.exe) DLL sideloading introduced. DLL inflated to ~100 MB.
Apr-25	Sideloading Expansion	Actors adopt Haihaisoft PDF Reader as an alternative sideloading vehicle alongside winword.exe. Persistence shifts to the Windows Registry. LummaC2 and Rhadamanthys were delivered alongside PXA in the same campaigns.
Mid 2025	Infrastructure Hardening	Dynamic C2 retrieval via Telegram encrypted channels. C2 IPs configured to masquerade as Chinese government infrastructure. In-memory Python exec() execution introduced; no disk artifacts at runtime.
Jul-25	Advanced Evasion (v2.0+)	Multi-layer encoding stack: XOR → Base64 → bzip2 → zlib. Cloudflare Workers are used as a C2 relay. Exfiltrated data format: [CC_IP] HOSTNAME.zip. 4,000+ unique victim IPs across 62 countries confirmed.
Aug-25	Scale Confirmed (SentinelOne / Beazley)	Joint report: 200,000+ unique passwords, 4M+ browser cookies, hundreds of credit card records harvested. Stolen data is sold on the Sherlock marketplace via a subscription model. 4,000+ victim IPs across 62 countries.
Late 2025	RAT Pivot (Huntress Research)	The same threat actor pivots from a custom Python stealer to PureRAT (a commercial .NET backdoor) in some campaigns. Adds: PureMiner, PureClipper, BlueLoader. C2 servers confirmed in Vietnam.
Oct–Dec 2025	Financial Sector Targeting	Microsoft Defender Experts investigate two campaigns targeting financial institutions. Persistence via registry Run keys and scheduled tasks. Python interpreter masqueraded as svchost.exe.
Q1 2026	Infostealer Vacuum Fill	Following the 2025 takedowns of Lumma, Rhadamanthys, and RedLine, PXA Stealer activity surged by 8–10%. New lures: tax forms, legal documents, and Photoshop installers. Financial institutions globally targeted (CyberProof).
Ongoing	Active Campaign (This Report)	LinkedIn job-lure campaign active across India, Bangladesh, the Netherlands, Sweden, USA. Lateral spread through the victim's LinkedIn connections. CRIL is actively tracking.

Comparative TTP Analysis: PXA Stealer Campaigns

The table below cross-references TTPs observed in this campaign against prior PXA Stealer analyses by Cisco Talos (November 2024) and SentinelOne (August 2025). The consistent overlap across delivery, obfuscation, persistence, and exfiltration techniques provides strong technical justification for attributing this activity to the PXA Stealer malware family.

TTP	MITRE Technique	Description
Python-Based Infostealer Payload	T1059.006 - Command and Scripting Interpreter: Python	Core PXA Stealer signature across all known campaigns
DLL Sideloading via Legitimate Signed Binary	T1574.002 - DLL Side-Loading	Consistent technique; signed binary name varies by campaign
Hidden Folder with Staged Payloads	T1564.001 - Hide Artifacts: Hidden Files and Directories	Hidden staging folder with an identical naming convention
WinRAR Renamed as an Image File	T1036.005 - Masquerading: Match Legitimate Name or Location	Same technique; only the filename differs
Password-Protected Archive as Payload Container	T1027 - Obfuscated Files or Information	Archive disguised as a common file type in all campaigns
Telegram Bot for C2 or Data Exfiltration	T1071.001 - Application Layer Protocol: Web Protocols	Hardcoded TOKEN_BOT and CHAT_ID across all variants
Vietnamese Language Strings in Payload	T1027 - Obfuscated Files or Information	Attribution marker present in all documented PXA campaigns
Renamed Python Interpreter	T1036.005 - Masquerading: Match Legitimate Name or Location	Python interpreter masqueraded as a system process
Scheduled Task or Registry Persistence	T1053.005 - Scheduled Task / T1547.001 - Registry Run Keys	Persistence method; mechanism varies slightly by variant
Multi-Layer Payload Obfuscation	T1027 - Obfuscated Files or Information	Layered encoding is a consistent anti-analysis signature
Dropbox Used for Payload Staging	T1102 - Web Service	Trusted cloud platform abused as a payload host across campaigns
Browser Credential and Cookie Theft	T1555.003 - Credentials from Password Stores: Credentials from Web Browsers	Core stealer capability is present in all PXA variants.
Cryptocurrency Wallet Targeting	T1414 - Steal Application Access Token	Crypto targeting is a defining objective of PXA Stealer

What Should Businesses Expect When Infected with PXA Stealer?

PXA Stealer's immediate impact is severe and rapid. Within minutes of execution, all browser-stored credentials, active session cookies, cryptocurrency wallets, and 2FA tokens are exfiltrated. Attackers can bypass MFA entirely using harvested session cookies, and email account access enables Business Email Compromise before the victim even notices the infection.

Shortly thereafter, the victims' credentials are stolen, and their own LinkedIn profile is turned into a distribution channel for further attacks.

Organizations face regulatory breaches of notification requirements under GDPR or DPDPA, long-term persistent access risks, and lasting reputational damage, particularly for fintech and crypto-facing businesses.

Technical Analysis:

Initial Access — LinkedIn Phishing

The threat actor established initial contact via direct messages on a compromised LinkedIn account, posing as a recruiter affiliated with a logistics sector firm. The lure offered a remote, part-time digital marketing role, a format deliberately calibrated to exploit the professional context LinkedIn provides.

With 1.3 billion active users, LinkedIn is the largest professional networking platform. Users would naturally expect and engage with career-related outreach, particularly job seekers. This significantly lowers their caution threshold when compared to unsolicited emails or social media messages from trusted contacts on other platforms.

Once contact is established, targets are directed to a Google Form hosted at hxxps://forms.gle/JjAtpy26Tcokow2Q7.

Hosting the next stage on Google’s legitimate infrastructure is intentional: most URL filtering solutions and email security gateways do not flag Google domains, allowing the attacker to preserve the job application narrative while bypassing automated defenses entirely.

Payload Delivery — Trusted Platforms as Staging Infrastructure

Within the Google Form, victims were instructed to review a job description via a hyperlink. The link (hxxps://tr.ee/PRtnsf) was a shortened URL that redirected to a Dropbox-hosted ZIP archive named “Position Details and Compensation Policy (2).zip”. The layering of a URL shortener on top of a trusted cloud storage platform made static analysis significantly more difficult. At the same time, the job-themed filename gave victims no reason to hesitate before opening it.

The downloaded archive registered zero detections on VirusTotal at the time of analysis, demonstrating the effectiveness of this multi-platform delivery chain against conventional security tooling.

Archive Contents — Concealment by Design

Once extracted, the archive presented the victim with a single visible file: what appeared to be a legitimate Microsoft Word executable. All remaining components were deliberately hidden within the archive, including:

• A malicious DLL (AppvIsvSubsystems64.dll)
• Supporting runtime files
• A batch script (en.cmd / en.pip)
• A decoy Word document
• A hidden folder named “__” containing next-stage components (Invoice.pdf, Trend.jpg, support.ico, nsedge.exe, update.dll)

DLL Sideloading:

Executing the visible file — Position Details and Compensation Policy.EXE (a renamed winword.exe) — triggered a DLL sideloading attack. The malicious AppvIsvSubsystems64.dll was loaded in place of the legitimate Microsoft Office counterpart of the same name.

What distinguishes this DLL File is its file size. The clean, signed version of this DLL typically ranges between 1 MB and 3 MB. The malicious variant was deliberately inflated to approximately 100 MB. This technique — known as binary padding — is specifically designed to evade automated scanning pipelines and static analysis tools that impose file size thresholds or skip oversized files to conserve processing resources.

Batch Script Execution and Persistence

Despite its inflated size, the malicious DLL had a single task: copy "en.pip" to "en.cmd" and execute it. From there, the batch script extracted a next-stage payload from a password-protected archive disguised as "Invoice.pdf" into %LOCALAPPDATA%\Microsoft\WindowsApps, deleted the archive and extraction utility to reduce forensic traces, and registered a scheduled task for persistence.

The final payload was launched through a Python executable named "nsedge.exe" alongside "update.dll", both placed inside %LOCALAPPDATA%\Microsoft\WindowsApps. The masquerade here operated on two levels: the folder path mimicked a legitimate Microsoft Edge installation directory. At the same time, the filenames were chosen to resemble trusted Edge components, making the entire setup appear as routine system activity to both analysts and automated detection tools. (See Figure 6)

Multi-Layer Encoding

Despite carrying a DLL extension, "update.dll" was in fact a Python script, executed with the parameter "sunset". Its role was to read encrypted content from a file named "support.ico", decode it using a key embedded within the file itself, and execute the resulting deobfuscated Python script directly in memory using Python's exec() method, leaving no additional files on disk for forensic tools to recover.

The XOR-decoded content was not the final layer. Underneath it was Python bytecode that had been Base64-encoded and compressed with both bzip2 and zlib. In simple terms, the attacker wrapped the malicious code in multiple layers, one inside the other, making it harder and more time-consuming for analysts to unpack and understand what the malware was actually doing.

Command and Control — Telegram-Based Dynamic Infrastructure

Once the final payload executed, the malware contacted a Telegram channel (hxxps://t.me/erik22sucbot) to retrieve the address of its command-and-control (C2) server. Rather than hardcoding the C2 address — a static indicator that can be blocked after discovery — the attacker stored it on Telegram in encrypted form. The malware decrypted the address at runtime, allowing the attacker to rotate infrastructure without recompiling or redeploying the payload.

Using the “sunset” parameter, the script constructed a download URL (hxxp://151.243.109.125/support/links/sunset[.]txt) to retrieve the final stage payload. The IP address 151[.]243[.]109[.]125 is configured to redirect to a Chinese government website — an additional layer of masquerading intended to cast doubt on analyst findings and create the false impression that the payload was hosted on legitimate government infrastructure.

The downloaded file "sunset.txt" was not a text file despite its .txt extension. It was, in fact, a Python script, heavily obfuscated to resist analysis.

Python Bytecode analysis

From the memory strings, we observed the following: it tries to steal the following items.

Category	Target	Details
Browser Wallet Extension	MetaMask	nkbihfbeogaeaoehlefnkodbefgpgknn
	TronLink	ibnejdfjmmkpcnlpebklmnkoeoihofec
	Binance Chain Wallet	fhbohimaelbohpjbbldcngcnapndodjp
	Phantom	bfnaelmomeimhlpmgjnjophhpkkoljpa
	Coinbase Wallet	hnfanknocfeofbddgcijnmhnfnkdnaad
	Trust Wallet	egjidjbpglichdcondbcbdnbeeppgdph
	Exodus Web3	aholpfdialjgjfhomihkjbmgjidlcdno
	Ronin Wallet	fnjhmkhhmkbjkkabndcnnogagogbneec
	Math Wallet	hpglfhgfnhbgpjdenjgmdgoeiappafln
	Guarda	aeachknmefphepccionboohckonoeemg
	Keplr	dmkamcknogkgcdfhhbddcghachkejeap
	BitKeep	jiidiaalihmmhddjgbnbgdfflelocpak
	XDEFI Wallet	hmeobnfnfcmdkdcmlblgagmfpfboieaf
	Yoroi	Cjelfplplebdjjenllpjcblmjkfcffne
	Jaxx Liberty	fihkakfobkmkjojpchpfgcmhfjnmnfpi
2FA & Authenticator	Authy	gaedmjdfmmahhbjefcbgaolhhanlaolb
	GAuth Authenticator	ilgcnhelpchnceeipipijaljkblbcobl
	Authenticator	bhghoamapcdpbohphigoooaddinpkbai
	EOS Authenticator	oeljdldpnmdbchonielidgobddffflal
	Trezor Password Manager	imloifkgjagghnncjkhggdhalmcnfklk
Browser	Google Chrome	Google\Chrome\User Data
	Microsoft Edge	Microsoft\Edge\User Data
	Brave	BraveSoftware\Brave-Browser\User Data
	Chromium	Chromium\User Data
	QQ Browser	Tencent\QQBrowser\User Data
	Vivaldi	Vivaldi\User Data
	Comodo Dragon	Comodo\Dragon\User Data
	Epic Privacy Browser	Epic Privacy Browser\User Data
	CocCoc	CocCoc\Browser\User Data
Desktop Wallet	Bitcoin-Qt	Software\Bitcoin\Bitcoin-Qt
	Dash-Qt	Software\Dash\Dash-Qt
	Litecoin-Qt	Software\Litecoin\Litecoin-Qt
	Electrum	Electrum
	Ethereum	Ethereum\keystore
	Exodus	exodus.wallet
	Jaxx	com.liberty.jaxx
	Atomic Wallet	atomic\Local Storage\leveldb
	Zcash	Zcash
Application	Telegram Desktop	Session data
	Foxmail	Email client credentials
	Ledger Live	Hardware wallet manager

Network traffic analysis reveals that sensitive data is being exfiltrated to the external IP address 15.235.156[.]143 over port 56001. Outbound communication is concealed within TLS-encrypted traffic, effectively masking its contents and evading content-based inspection. This encryption layer suggests a deliberate attempt to obfuscate data exfiltration, making it difficult to detect with standard deep packet inspection techniques.

Conclusion

PXA’s evolution into a mature, multi-layered attack operation is a concerning development, as it exploits trust at every stage of the kill chain, from the professional credibility of LinkedIn to the reputation of Google, Dropbox, and Microsoft Office binaries.

The threat actors behind this campaign demonstrate strong operational security awareness, evidenced by the deliberate use of legitimate platforms to avoid detection, in-memory payload execution that leaves no on-disk artifacts, dynamic C2 infrastructure managed through Telegram, and multi-layer encoding to resist reverse engineering.

The campaign's continued propagation through victim LinkedIn connections creates a compounding distribution effect: each compromised account becomes a new, trusted sender for the job-lure message, extending the campaign's reach without additional infrastructure investment from the threat actor.

Job seekers, HR professionals, and employees actively engaged on LinkedIn represent the highest-risk population. Organizations in India, Bangladesh, the Netherlands, Sweden, and the United States should treat this campaign as an active threat.

How can Cyble help?

Cyble Vision can help detect compromised credentials and endpoints, monitor known threats, and supplement SOC teams with proactive intelligence to help avoid them even before they are targeted.

A competitive CTI solution, such as Vision, helps users stay a step ahead of threats originating from the surface, deep, and dark web through timely intel, low signal-to-noise ratio, and specific support in the event of an incident or compromise.

Recommendations

• Verify Recruiter Identities Independently: Always confirm recruiter profiles and company legitimacy through official websites or direct calls before engaging with any job offer received via LinkedIn DMs.
• Never Open Unsolicited File Attachments: Do not download or execute ZIP archives, EXE files, or documents received through job application links, even if they appear to come from a trusted connection.
• Enable Multi-Factor Authentication (MFA): Enable MFA on LinkedIn, email, and all critical accounts. Prefer hardware security keys over app-based TOTP, as infostealers can harvest authenticator tokens
• Audit Your LinkedIn Active Sessions Regularly: Periodically review active sessions and connected devices in LinkedIn security settings. Immediately revoke any unrecognised sessions.
• Keep Endpoint Security Tools Updated: Ensure EDR and antivirus solutions are active and up to date. Deploy solutions capable of detecting DLL sideloading, anomalous Python execution, and large, oversized DLL files.
• Monitor for Suspicious Scheduled Tasks: Regularly audit scheduled tasks on endpoints. Flag any tasks with names that mimic legitimate system processes, such as Microsoft Edge update services.
• Educate Employees on LinkedIn-Based Social Engineering: Include LinkedIn phishing scenarios in regular security awareness training. Employees should understand that professional platforms are actively exploited as initial access vectors
• Report and Revoke Immediately if Compromised: If your LinkedIn account is suspected to be compromised, immediately revoke all active sessions, reset credentials, notify your connections, and report the incident to LinkedIn and your security team.

MITRE ATT&CK Mapping

Tactic	Technique	Description
Initial Access (TA0001)	Phishing: Spearphishing Link (T1566.002)	LinkedIn DM with job lure linking to Google Form and Dropbox-hosted payload
Execution (TA0002)	User Execution: Malicious File (T1204.002)	The victim manually executes the disguised WinWord.exe from the downloaded ZIP.
Execution (TA0002)	Command and Scripting Interpreter: Windows Command Shell (T1059.003)	Malicious logic executed via en.cmd batch script
Persistence (TA0003)	Scheduled Task/Job: Scheduled Task (T1053.005)	Scheduled task created for persistence across reboots
Defense Evasion (TA0005)	DLL Side-Loading (T1574.002)	Malicious AppvIsvSubsystems64.dll loaded in place of the legitimate Microsoft Office DLL.
Defense Evasion (TA0005)	Obfuscated Files or Information: Binary Padding (T1027.001)	DLL inflated to ~100 MB to bypass file size thresholds in automated scanners
Defense Evasion (TA0005)	Obfuscated Files or Information (T1027)	Payload concealed inside a password-protected archive named Invoice.pdf
Defense Evasion (TA0005)	Indicator Removal: File Deletion (T1070.004)	The archive and extraction utility deleted post-execution to reduce forensic artifacts.
Defense Evasion (TA0005)	Masquerading: Match Legitimate Name or Location (T1036.005)	Python executable renamed to nsedge.exe; files placed in a legitimate-looking Edge directory
Defense Evasion (TA0005)	Data Encoding: Standard Encoding (T1132.001)	Payload encoded with XOR, Base64, bzip2, and zlib across multiple layers
Execution (TA0002)	Shared Modules (T1129)	Malicious update.dll (Python script) loaded to execute next-stage payload
Command and Control (TA0011)	Application Layer Protocol: Web Protocols (T1071.001)	C2 communication over HTTP/S; Telegram used for dynamic C2 address retrieval
Credential Access (TA0006)	Credentials from Password Stores: Credentials from Web Browsers (T1555.003)	Browser credential stores targeted across Chrome, Edge, Brave, and others

The post Professional Networks Under Attack: Vietnam-Linked Actors Deploy PXA Stealer in Global Infostealer Campaign appeared first on Cyble.

Executive Summary

Cyble Research & Intelligence Labs (CRIL) has identified a widespread, highly active social engineering campaign hosted primarily on edgeone.app infrastructure.

The initial access vectors are diverse — ranging from “ID Scanner,” and “Telegram ID Freezing,” to “Health Fund AI”—to trick users into granting browser-level hardware permissions such as camera and microphone access under the pretext of verification or service recovery.

Upon gaining permissions, the underlying JavaScript workflow attempts to capture live images, video recordings, microphone audio, device information, contact details, and approximate geographic location from affected devices. This data is subsequently transmitted to attacker-controlled infrastructure, enabling operators to obtain Personally Identifiable Information (PII) and contextually sensitive information. 

Further analysis revealed indicators of potential AI-assisted code generation, including structured annotations and emoji-based message formatting embedded within the operational logic. These characteristics reflect a growing trend where threat actors leverage generative AI tools to accelerate the development of phishing frameworks.

The breadth of data collected in this campaign extends beyond traditional credential phishing and raises significant security concerns. Harvested multimedia and device telemetry could be leveraged for identity theft, targeted social engineering, account compromise attempts, or extortion, posing risks to both individuals and organizations. (Figure 1)

Key Takeaways

• Infrastructure: Extensive use of edgeone.app (EdgeOne Pages) for hosting low-cost, scalable, and highly available phishing landing pages.
• Biometric Harvesting: The operation abuses legitimate browser APIs to access cameras, microphones, and device information after user consent.
• C2 Mechanism: Utilization of the Telegram Bot API (api.telegram.org) as a streamlined C2 and data exfiltration channel.
• Diverse Lures: Attackers rotate lures, including "ID Scanner" and "Health Fund AI", to target various demographics and bypass regional security filters.
• The phishing pages impersonate popular platforms and services, including TikTok, Telegram, Instagram, Chrome/Google Drive, and game-themed lures such as Flappy Bird, to increase victim trust.
• Once interaction occurs, the campaign attempts to collect multiple forms of sensitive data, including photographs, video recordings, microphone audio, device information, contact details, and approximate geographic location.

Overview

• Campaign Start: Observed since early 2026
• Primary Objective: Harvesting victim multimedia data and device information
• Primary Infrastructure: edgeone.app (multiple subdomains)
• Impersonated Brands: TikTok, Telegram, Instagram, Chrome/Google Drive, Flappy Bird
• Key Behavior: Browser permission prompts used to capture camera images, record audio/video, enumerate device metadata, retrieve geolocation information, and attempt contact list access through browser APIs.

The campaign operates as a web-based phishing framework that captures photographs directly from victims’ devices. The infrastructure hosts multiple phishing templates that impersonate verification systems or service recovery portals. The goal is to socially engineer users into granting browser permission for camera access.

Unlike traditional credential phishing pages, these pages do not primarily collect typed input. Instead, they rely on browser hardware permissions, requesting access to the device’s camera. Once permission is granted, the page silently captures a frame from the live video stream and exfiltrates it.

The use of Telegram as a data collection mechanism indicates that the operators prioritize low operational complexity and immediate access to stolen data. Since Telegram bots can receive file uploads through simple HTTP requests, attackers can directly integrate the API into client-side scripts.

Business Impact and Potential Abuse

The data collected through this campaign provides attackers with multiple forms of sensitive personal information and contextual intelligence, thereby significantly increasing the effectiveness of follow-on attacks.

One potential abuse scenario involves identity fraud and account recovery manipulation. The campaign captures victim photographs, video recordings, and audio samples that could be used to bypass identity verification workflows used by financial platforms, social media services, or other online services that rely on biometric or video-based verification.

Additionally, the collection of device information, location data, and contact details allows attackers to build detailed victim profiles. This information may be used to perform targeted social engineering attacks, impersonate victims in communication platforms, or craft convincing fraud attempts against their contacts.

Another concerning use case involves extortion and intimidation. Because the campaign captures multimedia data, such as camera images, video recordings, and microphone audio, attackers may pressure victims by threatening to expose the collected material unless a payment is made.

For organizations, the broader business impact includes:

• Increased risk of identity theft and account takeover attempts
• Potential abuse of stolen biometric and multimedia data in fraud schemes
• Targeted phishing or fraud campaigns against employees and customers
• Reputational damage if impersonated brand identities are used in malicious campaigns

The campaign's ability to collect multiple categories of sensitive information from a single interaction significantly amplifies the risk to both individuals and businesses.

Why does this matter?

This campaign marks a significant evolution in phishing operations, shifting from credential theft to harvesting biometric and device-level data. By abusing browser permissions to capture victims' live images, audio, and contextual device information, threat actors can obtain high-quality identity data that is difficult to revoke or replace.

The stolen data can be leveraged to bypass video-KYC and remote identity verification processes, enabling fraudulent account creation, synthetic identity fraud, account takeover, and financial scams across banking, fintech, telecom, and digital service platforms. Additionally, high-resolution facial images and audio samples may be weaponized for AI-driven impersonation and deepfake attacks, increasing the effectiveness of business email compromise and targeted social engineering campaigns.

For organizations, the campaign introduces elevated risks, including financial losses, regulatory non-compliance, AML exposure, reputational damage, and erosion of trust in digital onboarding systems, highlighting the growing need for stronger verification controls and browser-permission abuse detection.

Technical Analysis

The infection chain, as outlined in Figure 2, shows the stages of the attack.

Phishing Page Behaviour

The phishing page contains embedded JavaScript that leverages browser media APIs to access the victim’s device camera after obtaining user permission. Once access is granted, the script initializes a live video stream and processes its frames.

A capture function then renders a frame from the video feed onto an HTML5 canvas using ctx.drawImage(), effectively converting the live camera input into a static image. (see Figure 3)

The canvas content is subsequently encoded into a JPEG blob via canvas.toBlob(), creating a binary image object that can be transmitted through HTTP requests to attacker-controlled infrastructure.

Expanded Data Collection Capabilities

Analysis of the campaign script indicates that the phishing framework performs extensive device fingerprinting and environment enumeration before initiating camera-based verification workflows.

The script collects system metadata using the following browser APIs

• navigator.userAgent
• navigator.platform
• navigator.deviceMemory
• navigator.hardwareConcurrency
• navigator.connection
• navigator.getBattery

This allows the attacker to gather detailed information such as operating system type and version, device model indicators, screen resolution and orientation, browser version, available RAM, CPU core count, network type, battery level, and language settings.

Additionally, the script retrieves the victim’s public IP address using services such as api.ipify.org, then enriches the geolocation using ipapi.co, enabling the collection of country, city, latitude, and longitude data. (see Figure 4)

This telemetry is aggregated and transmitted to the attacker via the Telegram Bot API, providing operators with contextual information about the victim’s device and location prior to further data harvesting.

Beyond system profiling, the script implements multiple routines for collecting multimedia and personal data via browser permission prompts. The campaign captures several still images from both the front-facing and rear-facing cameras, records short video clips using the MediaRecorder API, and performs microphone recordings.

These recordings are packaged as JPEG, WebM video, or WebM audio files and exfiltrated via Telegram API methods such as sendPhoto, sendVideo, and sendAudio. (see Figure 5)

Additionally, the script attempts to access the victim’s contact list through the Contacts Picker API (navigator.contacts.select), requesting attributes such as contact names, phone numbers, and email addresses. If granted, the selected contacts are formatted into structured messages and transmitted to the attacker. (see Figure 6)

User Interface Manipulation

The phishing pages include interface elements designed to convince victims that the image capture process is legitimate.

For example, status messages displayed during execution may include:

• “Capturing photo”
• “Sending to server”
• “Photo sent successfully”

These messages simulate the behavior of legitimate identity verification platforms and help maintain the illusion that the process is part of a valid verification workflow.

Once the image is successfully transmitted, the script terminates the camera stream and resets the interface after a short delay.

Infrastructure Observations

Analysis of the campaign revealed that the phishing pages are primarily hosted under the edgeone.app domain. Multiple variations of phishing pages were observed using similar JavaScript logic and workflow patterns.

The consistent use of the same infrastructure suggests that attackers may be operating a templated phishing kit capable of generating different themed pages while maintaining the same underlying data-collection logic.

Because the image exfiltration occurs through Telegram infrastructure, the phishing pages themselves do not require backend servers, simplifying deployment and enabling rapid rotation of phishing URLs.

Indicators of Potential Generative AI Use in Script Development

During analysis of the phishing framework, researchers observed the use of emojis embedded directly within the script’s message formatting logic. These emojis appear in structured status messages that are assembled and transmitted during the data collection workflow. The use of decorative Unicode symbols within operational code is uncommon in manually written malicious scripts but has increasingly been observed in campaigns that use generative AI tools during development. (see Figure 7)

Targeted Countries and Impersonated Brands

During infrastructure monitoring and phishing URL telemetry analysis, the campaign's infrastructure appears to be globally accessible. Analysis of the phishing templates used in this campaign reveals that the operators impersonate a range of widely recognized consumer platforms and applications. Observed brand impersonation themes include:

Impersonated Brand	Observed Theme
TikTok	Free followers/engagement rewards
Flappy Bird	Game reward or verification workflows
Telegram	Account freezing or verification alerts
Instagram	Account recovery or follower reward systems
Google Chrome / Google Drive	Security verification prompts

Conclusion

Our deep-dive analysis revealed a sophisticated phishing campaign that extends beyond traditional credential theft by harvesting multimedia and device-level data through browser permission abuse.

The campaign attempts to collect photographs, video recordings, audio recordings from microphones, contact details, device information, and approximate location data directly from victims. This operation demonstrates a growing trend where attackers leverage client-side scripting and legitimate web services to collect and transmit sensitive data without relying on traditional command-and-control infrastructure.

Indicators in the script also suggest AI-assisted development, reflecting how threat actors may be using generative AI tools to accelerate the creation of phishing frameworks.

The breadth of information collected increases the potential for identity theft, targeted social engineering, account compromise attempts, and extortion. Organizations should remain cautious about phishing pages that request hardware permissions, such as camera, microphone, or contact access, particularly when originating from untrusted domains.

Cyble’s Threat Intelligence Platforms continuously monitor emerging threats, attacker infrastructure, and malware activity across the dark web, deep web, and open sources. This proactive intelligence empowers organizations with early detection, brand and domain protection, infrastructure mapping, and attribution insights. Altogether, these capabilities provide a critical head start in mitigating and responding to evolving cyber threats.

Our Recommendations

We have listed some essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers follow the best practices given below:

• Restrict camera permissions for unknown websites
• Monitor outbound traffic to api.telegram.org when originating from browser sessions
• Deploy browser security extensions capable of identifying phishing pages
• Implement domain monitoring for suspicious infrastructure hosting phishing kits

MITRE ATT&CK® Techniques

Tactic	Technique ID	Procedure
Initial Access	T1566 – Phishing	Phishing pages used to lure victims to malicious verification workflows.
Execution	T1059.007 – JavaScript	Malicious JavaScript executed in the victim’s browser.
Collection	T1125 – Video Capture	Camera access is used to capture photos and videos of victims.
Collection	T1123 – Audio Capture	Microphone access is used to record the victim's audio.
Collection	T1005 – Data from Local System	Device information is collected from the browser environment.
Collection	T1213 – Data from Information Repositories	Contact details retrieved from the device contact list.
Discovery	T1082 – System Information Discovery	Device and browser information enumeration.
Discovery	T1614 – System Location Discovery	Victim IP and geographic location collected.
Exfiltration	T1567 – Exfiltration Over Web Services	Collected data transmitted to the attacker's infrastructure.

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

The post AI-Assisted Phishing Campaign Exploits Browser Permissions to Capture Victim Data appeared first on Cyble.

Executive Summary

In early February 2026, Cyble Research & Intelligence Labs (CRIL) identified a new Linux malware strain delivered through a loader structure previously associated with ShadowHS activity. While ShadowHS samples deployed post-exploitation tooling, the newly observed payload is operationally different. We have named it ClipXDaemon, an autonomous cryptocurrency clipboard hijacker targeting Linux X11 environments.

At the time of this writing, there is no evidence that ShadowHS and ClipXDaemon originate from the same malware author or campaign. The structural overlap in the loader stems from the use of bincrypter, an open-source shell-script encryption framework hosted on GitHub. Both campaigns appear to have leveraged this public tool independently.

ClipXDaemon differs fundamentally from traditional Linux malware. It contains no command-and-control (C2) logic, performs no beaconing, and requires no remote tasking. Instead, it monetizes victims directly by hijacking cryptocurrency wallet addresses copied in X11 sessions and replacing them in real time with attacker-controlled addresses.

It employs stealth techniques, including process masquerading and Wayland session avoidance, in which the attack chain operates entirely locally, without network communication, infrastructure, or operator interaction after execution, making detection and response significantly more challenging.

The campaign is particularly relevant now, given the growing adoption of Linux among developers, traders, and crypto users, many of whom rely on X11-based GUI environments. This represents an evolution in Linux financial malware: autonomous, C2-less, stealthy, and user-focused.

Key Takeaways

• The previously observed ShadowHS-style loader is reused to deploy a different payload — a Linux X11 cryptocurrency clipboard hijacker.
• The campaign uses a three-stage infection chain:
  • Encrypted loader
  • Memory-resident dropper
  • On-disk ELF clipboard hijacker

• The Dropper is entirely staged in memory via a bincrypter-generated loader that uses AES-256-CBC decryption and gzip decompression.
• The malware avoids modern Wayland sessions and operates exclusively in X11 environments, demonstrating intentional defense evasion.
• Implements stealth techniques including double-fork daemonization, /proc masquerading, and PR_SET_NAME process renaming.
• The payload is a fully autonomous daemon that monitors the clipboard every 200ms and replaces cryptocurrency addresses with attacker-controlled wallets, targeting Bitcoin, Ethereum, Litecoin, Monero, Tron, Dogecoin, Ripple, and TON wallets.
• Encrypted regex is ChaCha20-based, with embedded static keys and 64-byte block decryption, ensuring payload secrecy.
• Payload is autonomous with no communication with external C2 (functions entirely locally), relying only on clipboard replacement for monetization.
• Persistence is achieved via ~/.profile modification.
• The campaign illustrates increasing operational reliance on open-source tooling in modern malware development.

Background & Threat Landscape

The ShadowHS malware family, documented in January 2026, used encrypted shell loaders to execute an in-memory, weaponized hackshell payload targeting server environments and was associated with post-exploitation tooling.

ClipXDaemon reflects a strategic pivot. While the staging wrapper remains structurally similar, the delivered payload is entirely different: an autonomous cryptocurrency clipboard hijacker focused on Linux users.

Both ShadowHS samples and ClipXDaemon leverage the publicly available bincrypter framework to encrypt and wrap shell payloads. However, the reuse of a commodity open-source obfuscation tool does not constitute evidence of actor overlap. This indicates a broader trend where attackers are increasingly weaponizing legitimate open-source utilities to reduce development overhead.

This case illustrates several macro-level shifts in the threat landscape. Linux malware is becoming more specialized, targeting financial workflows directly rather than deploying general-purpose remote access tools.

Operational exposure is minimized by eliminating network communication entirely. Modular reuse of publicly available encryption wrappers allows rapid payload swapping without rebuilding infrastructure.

ClipXDaemon therefore represents both a tactical evolution in Linux clipboard hijacking and a strategic example of open-source tool weaponization in financially motivated campaigns.

Technical Analysis

Bincrypt Obfuscated Loader

The initial loader used in this campaign matches the structural output generated by bincrypter. The wrapper script stores an encrypted payload blob inline, base64-decodes it at runtime, strips non-printable characters, derives AES-256-CBC decryption parameters, decompresses via gzip, and executes the decrypted stage directly from memory. (See Figure 1)

The decryption stub, variable naming conventions (short uppercase variables such as P and S), OpenSSL invocation pattern, and execution via /proc/self/fd align with bincrypter-generated output. When replicated in a controlled environment using bincrypter, the structural characteristics match closely. (See Figure 2)

However, the presence of bincrypter does not imply shared authorship between ShadowHS and ClipXDaemon. Bincrypter is a public, open-source tool. Its reuse reflects convenience and operational efficiency rather than coordinated campaign lineage.

The same loader logic is retained across versions. Differences are confined to the embedded base64 password (P), the salt (S), the encrypted configuration blob (C), the payload offset (R), and the derived AES key.

Component	ShadowHS loader	ClipXDaemon loader
P (base64)	U014VW9KeTh5SGhtSXR2QQo=	SXlFWndTTzBZclRmRzRTbgo=
Decoded Password	SMxUoJy8yHhmItvA	IyEZwSO0YrTfG4Sn
Salt (S)	92KemmzRUsREnkdk	96vN4N7cG87KIHzD
C (encrypted config)	S1A76XhLvaqIQ+7WsT+Euw==	MqxlKG3gEwF0BmQiV63bPQ==
R (offset)	4817	7452
Final AES key	92KemmzRUsREnkdk-SMxUoJy8yHhmItvA	96vN4N7cG87KIHzD-IyEZwSO0YrTfG4Sn

This indicates that the loader functions as a reusable staging framework, with payloads swapped at build time rather than behavioral modification.

In-Memory Dropper Execution

Once the loader decrypts and decompresses an intermediate dropper, it does not write the script to disk. Instead, it executes it directly through a file descriptor under /proc/self/fd. This avoids static inspection of the decrypted stage and minimizes disk artifacts.

Upon execution, the decrypted dropper writes a message to STDOUT for purely cosmetic purposes, thereby disguising itself as legitimate software. (See Figure 3)\

Subsequently, it contains an embedded base64-encoded ELF binary, which is decoded & written to a file with a randomized name (between eight and nineteen characters, with a numeric suffix). (See Figure 4)

The ELF binary is dropped at ~/.local/bin/<random_name>. The path selection is deliberate, considering that it resides in userland, requires no elevated privileges, and allows blending with legitimate user-installed binaries. (See Figure 5)

Persistence

After writing the file, the dropper marks it executable, launches it in the background, and appends an execution line to ~/.profile. (See Figure 6)

By modifying ~/.profile, the implant ensures it is executed during future interactive login sessions. This is a user-level persistence mechanism that does not require cron jobs, systemd services, or root access. This indicates that the targeting profile is more consistent with Linux environments than with servers.

Payload Architecture: X11-Dependent Design

The deployed ELF binary is a 64-bit Linux executable dynamically linked against X11 libraries. At the time of writing, it goes undetected by security vendors on VirusTotal. (See Figure 7)

Execution begins with a simple environmental gate: the program checks whether the WAYLAND_DISPLAY environment variable is present.

• If Wayland is detected, execution terminates immediately.
• If Wayland is absent, execution proceeds.

This is done because Wayland’s design prevents global clipboard scraping as X11 allows. By explicitly disabling itself in Wayland sessions, it avoids runtime failure and reduces noise. This indicates that the implant is designed specifically for X11. This environmental awareness indicates familiarity with modern Linux architecture. (See Figure 8)

Daemonization and Process Masquerading

After passing the environment check, the payload performs a double-fork daemonization sequence. It detaches from the controlling terminal, creates a new session, forks again, closes standard file descriptors, changes the working directory to root, and resets the file mode mask. (See Figure 9)

Immediately afterward, it calls prctl(PR_SET_NAME, ...), altering its process name to resemble a kernel worker thread — specifically mimicking kworker/0:2-events. It also modifies argv[0] to reinforce this disguise. (See Figure 10)

This technique is designed to reduce suspicion during casual inspection with tools such as ps or top, as kernel worker names are familiar to Linux administrators and are often ignored.

This technique is not intended to defeat forensic examination; rather, it aims at camouflage rather than perfect stealth.

Clipboard Monitoring Loop

Once daemonized, the implant connects to the X server using standard X11 APIs. If a display connection cannot be established, execution halts. If successful, the program enters a continuous polling loop that iterates every 200 milliseconds, retrieving the contents of the CLIPBOARD selection. (See Figure 11)

Clipboard retrieval is implemented using the native X11 selection protocol rather than a shortcut API. The malware resolves the "CLIPBOARD" and "UTF8_STRING" atoms, creates a hidden 1x1 window, and calls XConvertSelection to request clipboard data in UTF-8 format. It then blocks on SelectionNotify events via XNextEvent until the clipboard owner responds.

Once delivered, the data is extracted with XGetWindowProperty, duplicated into process memory, and the temporary window is destroyed. This ensures clean, synchronous acquisition of human-readable clipboard text without visible UI artifacts. (See Figure 12)

The retrieved text is evaluated against a set of regular expressions corresponding to cryptocurrency wallet formats. If a match is detected, the malware transitions from passive monitoring to active hijacking. It claims clipboard ownership using XSetSelectionOwner, again through a hidden window, and waits for SelectionRequest events.

When a paste operation occurs, the implant responds by supplying the attacker-controlled wallet address via XChangeProperty and XSendEvent, gracefully completing the X11 selection handshake. (See Figure 13)

The 200ms polling interval balances responsiveness and resource invisibility. Replacement occurs fast enough to precede typical paste actions while maintaining low CPU usage. The implant does not intercept keystrokes or monitor network traffic; it simply abuses X11’s trust model — reading clipboard contents, matching wallet patterns, and serving malicious replacements at paste time.

Configuration Protection Using ChaCha20

Wallet regex patterns and replacement addresses are not stored in plaintext. They are encrypted in binary using a ChaCha20 stream cipher with a static 256-bit key and a counter. This avoids revealing configuration buffers during static analysis.

At runtime, a static 256-bit key and counter are used to decrypt configuration buffers in memory. Only after decryption are the regular expressions compiled and replacement wallet addresses stored in memory. (See Figure 14)

This prevents trivial extraction using static string analysis but does not protect communications, as no command-and-control channel exists. The cryptographic implementation is functional rather than advanced. It is sufficient to defeat naive inspection but offers limited resistance to dynamic analysis.

Cryptocurrency Targeting

Dynamic instrumentation revealed that the payload matches multiple cryptocurrency wallet formats. Below is an example showing a Monero address match (See Figure 15)

Below are the regex being matched (extracted post-decryption) :

Ethereum:     "^0x[0-9a-fA-F]{40}$"
Monero:          "^[4][0-9AB][1-9A-HJ-NP-Za-km-z]{93}$"
Bitcoin:         "^(bc1|[13])[a-km-zA-HJ-NP-Z1-9]{25,34}$"
Dogecoin:      "^D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}$"
TON:             "^(EQ|UQ)[A-Za-z0-9_-]{46}$"
Litecoin:      "^([LM3]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}||ltc1[a-z0-9]{39,59})$"
Ripple:     "^r[1-9A-HJ-NP-Za-km-z]{25,34}$"
Tron:            "^T[A-Za-z1-9]{33}$"

The implant operates entirely offline, with encrypted replacement addresses hardcoded and static. Upon detection, the clipboard is overwritten with attacker wallet addresses embedded in the binary (in encrypted form). (See Figure 16)

Observed replacement wallets include:

Cryptocurrency	Attacker Wallet Address
Ethereum	0x502010513bf2d2B908A3C33DE5B65314831646e7
Monero	424bEKfpB6C9LkdfNmg61pMEnAitjde8YWFsCP1JXRYhfu4Tp5EdbUBjCYf9kRBYGzWoZqRYMhWfGAm1N5h6wSPg8bSrbB9
Bitcoin	bc1qe8g2rgac5rssdf5jxcyytrs769359ltle3ekle
Dogecoin	DTkSZNdtYDGndq1kRv5Z2SuTxJZ2Ddacjk
TON	(monitored only - NO replacement found)
Litecoin	ltc1q7d2d39ur47rz7mca4ajzam2ep74ccdwvqre6ej
Ripple (XRP)	(monitored only - NO replacement found)
Tron	TBupDdRjUscZhsDWjSvuwdevnj8eBrE1ht\n

Additional regex patterns indicate monitoring of TON and Ripple wallet formats, although replacement addresses were not observed for those assets.

Absence of Command-and-Control Infrastructure

No network communication was observed during analysis. The binary does not initiate DNS queries, HTTP requests, or socket connections and carries no embedded domains or IP addresses.

This C2-less architecture fundamentally alters the traditional malware kill chain. There is no beaconing stage, no tasking loop, no data exfiltration channel, and no infrastructure to dismantle. Monetization occurs directly at the endpoint when a victim pastes a manipulated wallet address and executes a cryptocurrency transaction.

This model reduces the attacker's operational risk. Since there are no servers to seize, no traffic to sinkhole, and no indicators derived from network telemetry, the detection strategy must rely on host-based behavioral analysis rather than network security controls.

The campaign illustrates a growing trend: financially motivated malware that eliminates the need for infrastructure. Combined with the reuse of publicly available tools such as bincrypter for payload staging, this approach lowers development costs, accelerates deployment, and complicates attribution.

ClipXDaemon is therefore notable not only for its technical design but for what it represents — the increasing weaponization of open-source tooling and the emergence of autonomous, infrastructure-less financial malware targeting Linux users.

Conclusion

The analysis of ClipXDaemon reflects a meaningful shift in Linux malware tradecraft — not in the sophistication of exploitation, but in operational design. The threat eliminates the need for command-and-control infrastructure entirely, collapsing the traditional kill chain into a localized, self-contained monetization loop.

There are no external beacons, tasking servers, or data exfiltration channels. Revenue generation depends solely on clipboard interception and user transaction behavior.

While ClipXDaemon reuses the same loader framework previously observed in ShadowHS reporting, there is no evidence of convergence in attribution. The shared component – bincrypter- is an openly available obfuscation framework.

Its reuse highlights a broader trend in the threat landscape; adversaries increasingly operationalize legitimate open-source tooling to accelerate development cycles and standardize staging mechanisms. This modular reuse model lowers barriers to entry while complicating campaign clustering and attribution analysis.

ClipXDaemon’s strength lies in precision targeting, environmental awareness, and architectural minimalism. As Linux adoption grows within cryptocurrency and developer communities, financially motivated userland implants such as this are likely to increase in frequency.

Cyble's Threat Intelligence Platforms continuously monitor emerging threats, attacker infrastructure, and malware activity across the dark web, deep web, and open sources. This proactive intelligence empowers organizations with early detection, brand and domain protection, infrastructure mapping, and attribution insights. Altogether, these capabilities provide a critical head start in mitigating and responding to evolving cyber threats.

Our Recommendations

We have listed some essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers follow the best practices given below:

From a detection standpoint, this architectural choice significantly reduces conventional visibility. Network-based detections, domain-reputation feeds, and infrastructure takedown strategies are ineffective against implants that never communicate externally. Instead, detection must pivot toward behavioral telemetry within the endpoint. Given the absence of network indicators, defensive strategies must prioritize endpoint visibility and behavioral controls.

Harden Linux Environments

• Where operationally feasible, transition from X11 (permissive model) to Wayland-based sessions. Wayland’s security model restricts global clipboard scraping, thereby reducing this attack surface.
• Restrict execution from user-writable directories such as ~/.local/bin/ where possible through application control policies.

Monitor Userland Persistence

• Audit modifications to ~/.profile, ~/.bashrc, and other user-level autostart mechanisms.
• Establish baselines for legitimate binaries within ~/.local/bin/ and alert on newly created executables.

Detect Process Masquerading

• Identify processes with kernel-thread naming conventions (e.g., kworker/*) running under non-root user contexts.
• Correlate prctl(PR_SET_NAME) modifications with suspicious execution ancestry.

Instrument X11 API Abuse

• Monitor for abnormal or repetitive use of:
  • XConvertSelection
  • XSetSelectionOwner
  • XGetWindowProperty

• High-frequency clipboard polling (e.g., ~200ms intervals) originating from background daemons should be investigated.

Implement Behavioral EDR Controls

• Alert on execution of ELF binaries dropped from interpreted shell scripts via /proc/self/fd.
• Detect double-fork daemonization sequences initiated from user shell contexts.
• Flag base64-decoded ELF writes followed by immediate execution.

User Awareness Controls

• Encourage manual verification of cryptocurrency addresses before transaction confirmation.
• Where possible, utilize hardware wallet confirmation mechanisms that display recipient addresses independently of the host system.

Organizations operating Linux environments in cryptocurrency-sensitive roles should consider clipboard manipulation threats as part of their baseline threat model.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Procedure
Execution	Command and Scripting Interpreter (T1059.004)	The initial loader runs via a shell wrapper generated with bincrypter, which decrypts and launches the embedded dropper.
Defense Evasion	Obfuscated Files or Information (T1027)	The loader uses AES-256-CBC encryption and gzip compression to conceal payload contents. The ELF configuration is further encrypted with ChaCha20.
Defense Evasion	Reflective Code Loading (T1620)	The intermediate dropper executes directly from /proc/self/fd, avoiding on-disk script artifacts.
Persistence	Shell Configuration Modification (T1547)	The dropper adds execution of the ELF payload to ~/.profile, enabling persistence upon user login.
Discovery	System Information Discovery (T1082)	The payload checks for the presence of Wayland (WAYLAND_DISPLAY) to determine whether execution is viable.
Defense Evasion	Masquerading (T1036)	The payload renames itself using prctl(PR_SET_NAME) to mimic kernel worker threads.
Credential Access / Collection	Clipboard Data (T1115)	The payload abuses X11 selection APIs to retrieve clipboard contents and monitor cryptocurrency wallet patterns.
Impact	Data Manipulation (T1565)	The malware modifies clipboard data in transit by replacing legitimate wallet addresses with attacker-controlled addresses.

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
87ab42a2a58479cf17e5ce1b2a2e8f915d539899993848e5db679c218f0e7287	SHA-256	Bincrypter loader script
23099eea9c4f85ff62a4f43634d431bbed0bf6b039a3f228b1c047f1c2f0cd11	SHA-256	Dropper Script
b6bb28160532400eafad532842e4ba9add6d6bbba4f7e7c85e3dbb650369eb00	SHA-256	ClipXDaemon ELF binary
0x502010513bf2d2B908A3C33DE5B65314831646e7	Ethereum	Attacker Wallet Address
424bEKfpB6C9LkdfNmg61pMEnAitjde8YWFsCP1JXRYhfu4Tp5EdbUBjCYf9kRBYGzWoZqRYMhWfGAm1N5h6wSPg8bSrbB9	Monero	Attacker Wallet Address
bc1qe8g2rgac5rssdf5jxcyytrs769359ltle3ekle	Bitcoin	Attacker Wallet Address
DTkSZNdtYDGndq1kRv5Z2SuTxJZ2Ddacjk	Dogecoin	Attacker Wallet Address
ltc1q7d2d39ur47rz7mca4ajzam2ep74ccdwvqre6ej	Litecoin	Attacker Wallet Address
TBupDdRjUscZhsDWjSvuwdevnj8eBrE1ht	Tron	Attacker Wallet Address

The post ClipXDaemon: Autonomous X11 Clipboard Hijacker Delivered via Bincrypter-Based Loader appeared first on Cyble.

Executive Summary

SURXRAT is an actively developed Android Remote Access Trojan (RAT) commercially distributed through a Telegram-based malware-as-a-service (MaaS) ecosystem under the SURXRAT V5 branding.

The malware is marketed using structured reseller and partner licensing tiers, allowing affiliates to generate and distribute customized builds while the operator maintains centralized infrastructure and operational control.

This distribution model reflects the increasing professionalization of the Android threat landscape, where malware developers focus on scalability and monetization through affiliate-driven campaigns.

Technical analysis shows that SURXRAT operates as a full-featured surveillance and device-control platform capable of extensive data exfiltration, real-time remote command execution, and ransomware-style device locking.

The malware abuses accessibility permissions for persistent control and communicates with a Firebase-based command-and-control infrastructure to manage infected devices. Code similarities suggest that it evolved from the ArsinkRAT family.

We have identified the latest samples that conditionally download a large LLM module, indicating experimentation with AI-assisted capabilities, device performance manipulation, and alternative monetization strategies alongside traditional surveillance and extortion activities.

While it may not always be possible to avoid these threats entirely, prompt action can help reduce the impact of compromise. Threat intelligence tools such as Vision provide users with a real-time view of their digital threat landscape, alerting them to any compromise and enabling them to take corrective action.

Key Takeaways

• SURXRAT is sold openly via Telegram, with reseller and partner licensing tiers, enabling scalable distribution through affiliate operators rather than centralized campaigns.
• Source code references and functional overlap indicate SURXRAT likely evolved from ArsinkRAT, highlighting continued reuse and rapid enhancement of Android RAT frameworks.
• The malware collects sensitive data, including SMS messages, contacts, call logs, device information, location data, and browser activity, enabling credential theft and financial fraud operations.
• Use of Firebase Realtime Database infrastructure allows attackers to blend malicious communications with legitimate cloud traffic, improving reliability and complicating detection.
• SURXRAT conditionally downloads a large LLM module from external repositories, suggesting experimentation with AI-driven functionality, device performance manipulation, or evasion techniques.
• The integrated ransomware-style screen locker enables attackers to deny device access and demand payment, allowing flexible monetization through surveillance, fraud, or extortion.

Overview

Cyble Research and Intelligence Labs (CRIL) identified a new variant of SURXRAT, an actively developed Android Remote Access Trojan (RAT) being openly commercialized through a dedicated Telegram-based distribution ecosystem. Unlike opportunistic commodity malware, SURXRAT is positioned as a subscription-style cybercrime product, indicating an increasing level of professionalization in the Android malware-as-a-service (MaaS) landscape.

The Indonesian threat actor (TA) operates a Telegram channel through which the malware is marketed, regularly updated, and distributed to resellers and partners. The channel was created in late 2024, suggesting that active malware development likely began in early 2025. At the time of analysis, we identified more than 180 related samples, indicating continuous development activity and demonstrating that the threat actor is actively maintaining and evolving the malware.

The structured pricing tiers, operational announcements, and feature updates demonstrate a mature commercialization model similar to underground SaaS platforms, suggesting the operator is targeting aspiring cybercriminals rather than conducting attacks directly.

SURXRAT is marketed under a structured licensing scheme branded as SURXRAT V5, indicating active development and ongoing version iteration by the operator. The threat actor offers two primary purchase tiers within a “Ready Plan” model designed to attract both individual operators and larger resellers.

The Reseller Plan, advertised at a one-time payment of 200k, provides permanent access, allows buyers to generate up to three malware builds per day, includes free server upgrades, and permits users to create and sell SURXRAT builds while adhering to the operator’s predefined market pricing.

The Partner Plan, priced at 500k as a permanent license, expands these capabilities by increasing the daily build limit to ten accounts, maintaining free server upgrades, and granting buyers the ability to establish their own reseller networks, effectively enabling further distribution.

Both tiers emphasize a one-time payment structure (“anti pt pt”), suggesting no recurring subscription fees. This tiered commercialization approach demonstrates the operator's deliberate attempt to scale malware adoption through affiliate-style distribution, decentralizing infection operations while retaining centralized control over infrastructure and ecosystem governance.

The threat actor periodically posts operational statistics to reinforce legitimacy and attract buyers. One such announcement revealed:

• Bot Status: Active
• Total Users: 1,318 registered accounts within the system
• Operational confirmation timestamp: January 2026

While these figures cannot be independently verified, public disclosure of user metrics is a common underground marketing tactic intended to establish credibility and demonstrate adoption among cybercriminal customers. If accurate, the numbers suggest a growing ecosystem of operators leveraging SURXRAT for Android surveillance and financial fraud operations.

SURXRAT V5 provides a comprehensive surveillance and remote-control feature set consistent with modern Android RATs. The functionality indicates a strong emphasis on data harvesting, device monitoring, and full remote manipulation.

Data Collection and Surveillance Features

The malware enables extensive extraction of sensitive user information, including:

• SMS monitoring
• Contact list and call logs
• System information and installed applications
• Gmail account data
• Device location tracking
• Network and connectivity information
• Notification interception
• Clipboard monitoring
• Web browsing history
• Cellular tower intelligence
• WiFi scanning and connection history
• Full file manager access

This level of visibility allows attackers to perform credential harvesting, OTP interception, profiling, and reconnaissance for secondary fraud operations.

Remote Device Control Capabilities

SURXRAT extends beyond passive surveillance by enabling attackers to manipulate compromised devices actively:

• Remote device unlocking
• Triggering phone calls
• Wallpaper modification via remote URL
• Remote audio playback
• Network lag manipulation
• Push notification delivery
• Forced website opening
• Flashlight activation
• Device vibration control
• On-screen text overlays
• Device locking using attacker-defined PIN
• Complete storage wipe functionality

During analysis of the SURXRAT sample, references to ArsinkRAT were found in the source code, suggesting a developmental relationship between the two malware families. In January 2026, Zimperium reported an increase in activity associated with ArsinkRAT campaigns targeting Android devices.

A comparative analysis indicates notable functional and structural similarities between SURXRAT and ArsinkRAT, suggesting that the threat actor likely leveraged the ArsinkRAT source code. Using this foundation, an enhanced variant incorporating additional capabilities and updated features was subsequently developed.

This evolution highlights how existing Android RAT frameworks continue to be repurposed and expanded by threat actors, accelerating malware development cycles and enabling rapid introduction of new surveillance and control functionalities.

During our analysis of the latest SURXRAT variant, we identified a deliberate mechanism to manipulate network lag. The malware initiates the download of a large LLM module (>23GB) hosted on Hugging Face. This approach is highly atypical for a mobile-based device.

Notably, this download is conditionally triggered when specific gaming applications are active on the victim’s device, namely Free Fire MAX x JUJUTSU KAISEN (com.dts.freefiremax) and Free Fire x JUJUTSU KAISEN (com.dts.freefireth), or when the malware receives alternative target package names dynamically from the threat actor–controlled server.

This indicates that the download behavior is remotely configurable, allowing operators to initiate the module retrieval based on applications specified through backend commands.

While downloading a model of this size on a mobile device may initially appear impractical, the observed behavior indicates intentional implementation rather than a misconfiguration. The LLM module appears to be under active development and may be leveraged to:

• Deliberately introduce device or network latency during gameplay, potentially supporting paid cheating or disruption services
  mask malicious background activity by degrading overall device performance, leading users to attribute abnormal behavior to system issues rather than malware
  enable future AI-driven capabilities, such as automated interactions or adaptive social engineering techniques

The selective and conditional deployment of this module suggests that the threat actor is actively experimenting with AI-based components to enhance monetization strategies, improve evasion techniques, and expand operational capabilities.

Technical Analysis

Upon execution, the malware prompts the victim to grant multiple high-risk permissions, including access to location services, contacts, SMS messages, and device storage.

Following initial permission approval, the malware displays additional prompts guiding the user to enable Accessibility Services. This commonly abused Android feature allows applications to monitor screen content and perform automated actions. The abuse of accessibility permissions significantly increases attacker control, enabling surveillance and facilitating further malicious operations without continuous user interaction.

After acquiring the required permissions, SURXRAT establishes communication with a backend infrastructure hosted on a Firebase Realtime Database:

hxxps://xrat-sisuriya-default-rtdb.firebaseio[.]com

The malware connects using a database reference labeled “arsinkRAT,” further reinforcing the developmental linkage between SURXRAT and the previously observed ArsinkRAT malware family.

Once connectivity is established, the malware performs device registration by generating a random UUID, which serves as a unique identifier for tracking infected devices. Following registration, SURXRAT immediately begins exfiltrating sensitive information to the Firebase backend.

The malware collects and transmits a wide range of victim data, enabling comprehensive device profiling. Exfiltrated information includes:

• Contact lists
• SMS messages
• Call logs
• Device brand and model
• Android OS version
• Battery level and status
• SIM card details
• Network information
• Public IP address

This dataset allows attackers to uniquely identify victims, monitor communications, and prepare follow-on fraud or surveillance activities such as OTP interception and account takeover.

After successful device registration, SURXRAT launches a persistent background service that maintains continuous communication with the Firebase command-and-control (C&C) infrastructure and receives commands. The malware initializes multiple internal manager classes that handle surveillance, device control, and data collection.

The infected device periodically sends status updates to the backend while simultaneously polling for incoming commands issued by the operator. This near real-time synchronization enables attackers to execute actions on compromised devices remotely with minimal delay.

Analysis of command handlers revealed several instructions received from the Firebase backend that allow attackers to perform surveillance and active device manipulation:

Spy Commands	Description
accounts	Collects Google account information associated with the device
apps_list	Retrieves the list of installed applications
device_info	Collects detailed device metadata
audio_record	Records audio
file_list	Enumerates files and extracts metadata
flashlight	Remotely controls the device flashlight
camera_photo	Captures images using the device camera
contacts	Collects contacts
call_log	Collects call log
sms_read	Collects SMSs
Sms_send	Sends SMSs from the infected device
tts	Execute text to speech
call	Makes a call from the infected device
toast	Display a toast message
vibrate	Remotely vibrates the device
file_delete	Deletes file
location	Collects the victim’s location
file_upload	Sends file to the server
RAT Commands	Description
access	Collects clipboard data
unlock	Remove locks
app	Sync app list
Cal	Dail calls
fla	Handles flashlight
for	Wipe data
Mus	Play music
Not	Send System update notification
url	Opens URL
vib	Vibrates device
voi	Executes text-to-speech
wal	Changes wallpapers
Brow	Collects browser history
Cell	Collects the device’s cell info
Lock	Execute the Screen Locker feature
wifih	Collect Wi-Fi history
wifis	Execute text-to-speech

The figure below shows the admin panel image shared on the threat actor’s Telegram account, highlighting the various actions and controls available through SURXRAT.

Screen Locker Activity

The SURXRAT sample also contains a ransomware-style screen locker module that allows a remote attacker to seize control of the victim’s device and temporarily deny access to it. When activated, the malware forces the device to display a persistent full-screen lock message that the user cannot easily dismiss. The attacker can remotely customize both the displayed message and the unlock PIN, enabling them to demand a ransom payment directly from the victim.

The malware continuously reports user interactions back to the attacker’s server. Each incorrect PIN entry is transmitted to the backend, allowing the operator to monitor victim behavior and response attempts in real time. The lock screen can also be remotely removed by the attacker, giving them complete control over when the device becomes usable again. Overall, this functionality appears intended to coerce victims through disruption and intimidation, ultimately facilitating ransom-based monetization.

The integration of ransomware-style locking into a surveillance RAT indicates hybrid monetization, allowing operators to switch between espionage, fraud, and direct extortion based on the value of the victim.

Conclusion

SURXRAT represents a notable evolution in Android malware, combining MaaS-style commercialization, cloud-based command infrastructure, and modular capabilities into a single adaptable threat platform. The malware’s extensive surveillance features, real-time remote control functions, and ransomware-style device locking demonstrate a shift toward multi-functional mobile threats designed for flexible monetization.

The observed experimentation with large AI model integration further indicates that threat actors are actively exploring emerging technologies to enhance operational effectiveness and evade detection. As Android malware ecosystems continue to mature, threats like SURXRAT highlight the increasing accessibility of advanced mobile attack capabilities to a broader cybercriminal audience, reinforcing the need for improved mobile threat visibility, behavioral detection, and user awareness.

Prevention is ideal, but it isn’t always an option. Threat Intelligence platforms such as Cyble Vision provide users with insight into their digital risk profile and can notify them of any breaches or unauthorized access, enabling them to take immediate corrective action.

Our Recommendations

We have listed some essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers follow the best practices given below:

• Install Apps Only from Trusted Sources:
  Download apps exclusively from official platforms, such as the Google Play Store. Avoid third-party app stores or links received via SMS, social media, or email.
• Be Cautious with Permissions and Installs:
  Never grant permissions and install an application unless you're certain of an app's legitimacy.
• Watch for Phishing Pages:
  Always verify the URL and avoid suspicious links and websites that ask for sensitive information.
• Enable Multi-Factor Authentication (MFA):
  Use MFA for banking and financial apps to add an extra layer of protection, even if credentials are compromised.
• Report Suspicious Activity:
  If you suspect you've been targeted or infected, report the incident to your bank and local authorities immediately. If necessary, reset your credentials and perform a factory reset.
• Use Mobile Security Solutions:
  Install a mobile security application that includes real-time scanning.
• Keep Your Device Updated:
   Ensure your Android OS and apps are updated regularly. Security patches often address vulnerabilities exploited by malware.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Procedure
Persistence (TA0028)	Event Triggered Execution: Broadcast Receivers(T1624.001)	SURXRAT registered the BOOT_COMPLETED broadcast receiver to activate the screen locker activity
Persistence (TA0028)	Foreground Persistence (T1541)	SURXRAT uses foreground services by showing a notification
Defense Evasion (TA0030)	Impair Defenses: Prevent Application Removal (T1629.001)	Prevent uninstallation
Defense Evasion (TA0030)	Obfuscated Files or Information (T1406)	SURXRAT uses a Base64 encoding to encode the stolen files and send them to the Telegram Bot
Credential Access (TA0031)	Access Notifications (T1517)	SURXRAT collects device notifications
Discovery (TA0032)	Software Discovery (T1418)	SURXRAT collects the installed application list
Discovery (TA0032)	System Information Discovery (T1426)	SURXRAT collects the device information
Discovery (TA0032)	System Network Connections Discovery (T1421)	SURXRAT collects cell and wifi information
Discovery (TA0032)	File and Directory Discovery (T1420)	SURXRAT Enumerates external storage
Credential Access (TA0031)	Clipboard Data (T1414)	SURXRAT collects Clipboard Data
Collection (TA0035)	Audio Capture (T1429)	SURXRAT can capture audio
Collection (TA0035)	Data from Local System (T1533)	SUXRAT collects files from external storage
Collection (TA0035)	Location Tracking (T1430)	SURXRAT Can collect location
Collection (TA0035)	Protected User Data: Call Log (T1636.002)	SURXRAT Collects call log
Collection (TA0035)	Protected User Data: Contact List (T1636.003)	Collects contact data
Collection (TA0035)	Protected User Data: SMS Messages (T1636.004)	Collects SMS data
Collection (TA0035)	Protected User Data: Accounts (T1636.005)	SUXRAT collects Gmail account data
Collection (TA0035)	Video Capture (T1512)	SURXRAT Captures photos using the device camera
Command and Control (TA0037)	Application Layer Protocol: Web Protocols (T1437.001)	Malware uses HTTPs protocol
Exfiltration (TA0036)	Exfiltration Over C2 Channel (T1646)	SURXRAT sends collected data to the C&C server
Impact (TA0034)	SMS Control (T1582)	SURXRAT can send SMSs from the infected device
Impact (TA0034)	Call Control (T1616)	SURXRAT can make calls
Impact (TA0034)	Data Destruction (T1662)	Wipe external storage

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

The post SURXRAT: From ArsinkRAT roots to LLM Module Downloads Signaling Capability Expansion appeared first on Cyble.

Executive Summary

Cyble Research and Intelligence Labs (CRIL) observed large-scale, systematic exposure of ChatGPT API keys across the public internet. Over 5,000 publicly accessible GitHub repositories and approximately 3,000 live production websites were found leaking API keys through hardcoded source code and client-side JavaScript.

GitHub has emerged as a key discovery surface, with API keys frequently committed directly into source files or stored in configuration and .env files. The risk is further amplified by public-facing websites that embed active keys in front-end assets, leading to persistent, long-term exposure in production environments.

CRIL’s investigation further revealed that several exposed API keys were referenced in discussions mentioning the Cyble Vision platform. The exposure of these credentials significantly lowers the barrier for threat actors, enabling faster downstream abuse and facilitating broader criminal exploitation.

These findings underscore a critical security gap in the AI adoption lifecycle. AI credentials must be treated as production secrets and protected with the same rigor as cloud and identity credentials to prevent ongoing financial, operational, and reputational risk.

Key Takeaways

• GitHub is a primary vector for the discovery of exposed ChatGPT API keys.
• Public websites and repositories form a continuous exposure loop for AI secrets.
• Attackers can use automated scanners and GitHub search operators to harvest keys at scale.
• Exposed AI keys are monetized through inference abuse, resale, and downstream criminal activity.
• Most organizations lack monitoring for AI credential misuse.

AI API keys are production secrets, not developer conveniences. Treating them casually is creating a new class of silent, high-impact breaches.

Richard Sands, CISO, Cyble

Overview, Analysis, and Insights

“The AI Era Has Arrived — Security Discipline Has Not”

We are firmly in the AI era. From chatbots and copilots to recommendation engines and automated workflows, artificial intelligence is no longer experimental. It is production-grade infrastructure with end-to-end workflows and pipelines. Modern websites and applications increasingly rely on large language models (LLMs), token-based APIs, and real-time inference to deliver capabilities that were unthinkable just a few years ago.

This rapid adoption has also given rise to a development culture often referred to as “vibe coding.” Developers, startups, and even enterprises are prioritizing speed, experimentation, and feature delivery over foundational security practices. While this approach accelerates innovation, it also introduces systemic weaknesses that attackers are quick to exploit.

One of the most prevalent and most dangerous of these weaknesses is the widespread exposure of hardcoded AI API keys across both source code repositories and production websites.

A rapidly expanding digital risk surface is likely to increase the likelihood of compromise; a preventive strategy is the best approach to avoid it. Cyble Vision provides users with insight into exposures across the surface, deep, and dark web, generating real-time alerts for them to view and take action.

SOC teams will be able to leverage this data to remediate compromised credentials and their associated endpoints. With Threat Actors potentially weaponizing these credentials to carry out malicious activities (which will then be attributed to the affected user(s)), proactive intelligence is paramount to keeping one’s digital risk surface secure.

“Tokens are the new passwords — they are being mishandled.”

AI platforms use token-based authentication. API keys act as high-value secrets that grant access to inference capabilities, billing accounts, usage quotas, and, in some cases, sensitive prompts or application behavior. From a security standpoint, these keys are equivalent to privileged credentials.

Despite this, ChatGPT API keys are frequently embedded directly in JavaScript files, front-end frameworks, static assets, and configuration files accessible to end users. In many cases, keys are visible through browser developer tools, minified bundles, or publicly indexed source code. An example of the keys hardcoded in popular reputable websites is shown below (see Figure 1)

This reflects a fundamental misunderstanding: API keys are being treated as configuration values rather than as secrets. In the AI era, that assumption is dangerously outdated. In some cases, this happens unintentionally, while in others, it’s a deliberate trade-off that prioritizes speed and convenience over security.

When API keys are exposed publicly, attackers do not need to compromise infrastructure or exploit vulnerabilities. They simply collect and reuse what is already available.

CRIL has identified multiple publicly accessible websites and GitHub Repositories containing hardcoded ChatGPT API keys embedded directly within client-side code. These keys are exposed to any user who inspects network requests or application source files.

A commonly observed pattern resembles the following:

```javascript
const OPENAI_API_KEY = "sk-proj-XXXXXXXXXXXXXXXXXXXXXXXX";
```

```javascript
const OPENAI_API_KEY = "sk-svcacct-XXXXXXXXXXXXXXXXXXXXXXXX";
```

The prefix “sk-proj-“ typically represents a project-scoped secret key associated with a specific project environment, inheriting its usage limits and billing configuration. The “sk-svcacct-“ prefix generally denotes a service account–based key intended for automated backend services or system integrations.

Regardless of type, both keys function as privileged authentication tokens that enable direct access to AI inference services and billing resources. When embedded in client-side code, they are fully exposed and can be immediately harvested and misused by threat actors.

GitHub as a High-Fidelity Source of AI Secrets

Public GitHub repositories have emerged as one of the most reliable discovery surfaces for exposed ChatGPT API keys. During development, testing, and rapid prototyping, developers frequently hardcode OpenAI credentials into source code, configuration files, or .env files—often with the intent to remove or rotate them later. In practice, these secrets persist in commit history, forks, and archived repositories.

CRIL analysis identified over 5,000 GitHub repositories containing hardcoded OpenAI API keys. These exposures span JavaScript applications, Python scripts, CI/CD pipelines, and infrastructure configuration files. In many cases, the repositories were actively maintained or recently updated, increasing the likelihood that the exposed keys were still valid at the time of discovery.

Notably, the majority of exposed keys were configured to access widely used ChatGPT models, making them particularly attractive for abuse. These models are commonly integrated into production workflows, increasing both their exposure rate and their value to threat actors.

Once committed to GitHub, API keys can be rapidly indexed by automated scanners that monitor new commits and repository updates in near real time. This significantly reduces the window between exposure and exploitation, often to hours or even minutes.

Public Websites: Persistent Exposure in Production Environments

Beyond source code repositories, CRIL observed widespread exposure of ChatGPT API keys directly within production websites. In these cases, API keys were embedded in client-side JavaScript bundles, static assets, or front-end framework files, making them accessible to any user inspecting the application.

CRIL identified approximately 3,000 public-facing websites exposing ChatGPT API keys in this manner. Unlike repository leaks, which may be removed or made private, website-based exposures often persist for extended periods, continuously leaking secrets to both human users and automated scrapers.

These implementations frequently invoke ChatGPT APIs directly from the browser, bypassing backend mediation entirely. As a result, exposed keys are not only visible but actively used in real time, making them trivial to harvest and immediately abuse.

As with GitHub exposures, the most referenced models were highly prevalent ChatGPT variants used for general-purpose inference, indicating that these keys were tied to live, customer-facing functionality rather than isolated testing environments. These models strike a balance between capability and cost, making them ideal for high-volume abuse such as phishing content generation, scam scripts, and automation at scale.

Hard-coding LLM API keys risks turning innovation into liability, as attackers can drain AI budgets, poison workflows, and access sensitive prompts and outputs. Enterprises must manage secrets and monitor exposure across code and pipelines to prevent misconfigurations from becoming financial, privacy, or compliance issues.  

Kaustubh Medhe, CPO, Cyble

From Exposure to Exploitation: How Attackers Monetize AI Keys

Threat actors continuously monitor public websites, GitHub repositories, forks, gists, and exposed JavaScript bundles to identify high-value secrets, including OpenAI API keys. Once discovered, these keys are rapidly validated through automated scripts and immediately operationalized for malicious use.

Compromised keys are typically abused to:

• Execute high-volume inference workloads
• Generate phishing emails, scam scripts, and social engineering content
• Support malware development and lure creation
• Circumvent usage quotas and service restrictions
• Drain victim billing accounts and exhaust API credits

In certain cases, CRIL, using Cyble Vision, also identified several of these keys that originated from exposures and were subsequently leaked, as noted in our spotlight mentions. (see Figure 2 and Figure 3)

Unlike traditional conventions, AI API activity is often not integrated into centralized logging, SIEM monitoring, or anomaly detection frameworks. As a result, malicious usage can persist undetected until organizations encounter billing spikes, quota exhaustion, degraded service performance, or operational disruptions.

Conclusion

The exposure of ChatGPT API keys across thousands of websites and tens of thousands of GitHub repositories highlights a systemic security blind spot in the AI adoption lifecycle. These credentials are actively harvested, rapidly abused, and difficult to trace once compromised.

As AI becomes embedded in business-critical workflows, organizations must abandon the perception that AI integrations are experimental or low risk. AI credentials are production secrets and must be protected accordingly.

Failure to secure them will continue to expose organizations to financial loss, operational disruption, and reputational damage.

SOC teams should take the initiative to proactively monitor for exposed endpoints using monitoring tools such as Cyble Vision, which provides users with real-time alerts and visibility into compromised endpoints.

This, in turn, allows them to take corrective action to identify which endpoints and credentials were compromised and secure any compromised endpoints as soon as possible.

Our Recommendations

Eliminate Secrets from Client-Side Code

AI API keys must never be embedded in JavaScript or front-end assets. All AI interactions should be routed through secure backend services.

Enforce GitHub Hygiene and Secret Scanning

• Prevent commits containing secrets through pre-commit hooks and CI/CD enforcement
• Continuously scan repositories, forks, and gists for leaked keys
• Assume exposure once a key appears in a public repository and rotate immediately
• Maintain a complete inventory of all repositories associated with the organization, including shadow IT projects, archived repositories, personal developer forks, test environments, and proof-of-concept code
• Enable automated secret scanning and push protection at the organization level

Apply Least Privilege and Usage Controls

• Restrict API keys by project scope and environment (separate dev, test, prod)
• Apply IP allowlisting where possible
• Enforce usage quotas and hard spending limits
• Rotate keys frequently and revoke any exposed credentials immediately
• Avoid sharing keys across teams or applications

Implement Secure Key Management Practices

• Store API keys in secure secret management systems
• Avoid storing keys in plaintext configuration files
• Use environment variables securely and restrict access permissions
• Do not log API keys in application logs, error messages, or debugging outputs
• Ensure keys are excluded from backups, crash dumps, and telemetry exports

Monitor AI Usage Like Cloud Infrastructure

Establish baselines for normal AI API usage and alert on anomalies such as spikes, unusual geographies, or unexpected model usage.

The post When AI Secrets Go Public: The Rising Risk of Exposed ChatGPT API Keys appeared first on Cyble.

RESEARCH DISCLAIMER:  
This analysis examines the most recent and actively maintained repositories of OTP & SMS bombing tools to understand current attack capabilities and targeting patterns. All statistics represent observed patterns within our research sample and should be interpreted as indicative trends rather than definitive totals of the entire OTP bombing ecosystem. The threat landscape is continuously evolving with new tools and repositories emerging regularly. 

Executive Summary

Cyble Research and Intelligence Labs (CRIL) identified sustained development activity surrounding SMS, OTP, and voice-bombing campaigns, with evidence of technical evolution observed through late 2025 and continuing into 2026. Analysis of multiple development artifacts reveals progressive expansion in regional targeting, automation sophistication, and attack vector diversity.

Recent activity observed through September and October 2025, combined with new application releases in January 2026, indicates ongoing campaign persistence. The campaigns demonstrate technical maturation from basic terminal implementations to cross-platform desktop applications with automated distribution mechanisms and advanced evasion capabilities.

CRIL's investigation identified coordinated abuse of authentication endpoints across the telecommunications, financial services, e-commerce, ride-hailing, and government sectors, collectively targeting infrastructure in West Asia, South Asia, and Eastern Europe.

Key Takeaways

• Persistent Evolution: Repository modifications observed through late 2025, with new regional variants released in January 2026
• Cross-Platform Advancement: Transition from terminal tools to Electron-based desktop applications with GUI and auto-update mechanisms
• Multi-Vector Capabilities: Combined SMS, OTP, voice call, and email bombing, enabling sustained harassment campaigns
• Performance Optimization: Implementation in Go, claiming significant speed advantages with FastHTTP library integration
• Advanced Evasion: Proxy rotation, User-Agent randomization, request timing variation, and concurrent execution capabilities (75% SSL bypass prevalence)
• Broad Infrastructure Exposure: ~843 authentication endpoints across ~20 repositories spanning multiple industry verticals
• Low Detection Rates: Multi-stage droppers and obfuscation techniques evade antivirus detection at the time of analysis

Discovery and Attribution

What began in the early 2020s as isolated SMS bombing pranks among tech-savvy individuals has evolved into a sophisticated ecosystem of automated harassment tools. An "SMS bomber" or "TP Bombers" can overwhelm a phone number with a barrage of automated text messages - initially emerged as rudimentary Python scripts shared on coding forums.

These early implementations were crude, targeting only a handful of regional service providers and using manually collected API endpoints. Given the dramatic transformation of the digital threat landscape in recent years, driven by the proliferation of public code repositories, the commoditization of attack tools, and the increasing sophistication of threat actors.

Our investigation into this evolving threat began with routine monitoring of malicious code repositories and underground discussion forums. What we discovered was far more extensive: a well-organised, rapidly expanding ecosystem characterized by cross-platform tool development, international collaboration among threat actors, and an alarming trend toward commercialization.

Repository Analysis and Dataset Composition

Malicious actors have weaponised GitHub as a distribution platform for SMS and OTP-bombing tools, creating hundreds of malicious repositories since 2022. Our investigation analyzed around 20 of the most active and recently maintained repositories to characterize current attack capabilities.

Across these repositories, there are ~843 vulnerable, catalogued  API endpoints from legitimate organizations: e-commerce platforms, financial institutions, government services, and telecommunications providers.

Each endpoint lacks adequate rate limiting or CAPTCHA protection, enabling automated exploitation. Target lists span seven geographic regions, with concentrated focus on India, Iran, Turkey, Ukraine, and Eastern Europe.

Repository maintainers provide tools in seven programming languages and frameworks, from simple Python scripts to cross-platform GUI applications. This diversity enables attackers with minimal technical knowledge to execute harassment campaigns without understanding the underlying exploitation mechanics.

Attack Ecosystem: By The Numbers

Our analysis of active SMS bombing repositories gives us an insight into the true scale and sophistication of this threat landscape:

Regional Targeting Distribution

Iran-focused endpoints dominate the observed sample at 61.68% (~520 endpoints), followed by India at 16.96% (~143 endpoints). This concentration suggests coordinated development efforts targeting specific telecommunications infrastructure.

Web-Based SMS Bombing Services

Accessibility and Threat Escalation

In parallel with the open-source repository ecosystem, a thriving commercial sector of web-based SMS-bombing services exists.

These platforms represent a significant escalation in threat accessibility, removing all technical barriers to conducting attacks. Unlike repository-based tools that require users to download code, configure environments, and execute commands, these web services offer point-and-click interfaces accessible from any browser or mobile device.

Deceptive Marketing Practices

Our analysis identified numerous active web services operating openly via search-engine-indexed domains. These services employ sophisticated marketing strategies, positioning themselves as 'SMS prank tools' or 'SMS testing services' while providing the exact functionality required for harassment campaigns.

Data Harvesting and Resale Operations

Although these websites present themselves as benign prank tools, they operate a predatory data-collection model in which users' phone numbers are systematically harvested for secondary exploitation. These collected contact numbers are subsequently used for spam campaigns and scam operations, or monetized through resale as lead lists to third-party spammers and scammers. This creates a dual-threat model: users inadvertently expose both their targets and themselves to ongoing spam victimization, while platform operators profit from both service fees and the commodification of harvested contact data.

Technical Analysis

Attack Methodology

SMS bombing attacks follow a predictable workflow that exploits weaknesses in API design and implementation.

Phase 1: API Discovery

Attackers identify vulnerable OTP endpoints through multiple techniques:

• Manual Testing: Identifying login pages and registration forms that trigger SMS verification
• Automated Scanning: Using tools to probe common API paths like /api/send-otp, /verify/sms, /auth/send-code
• Source Code Analysis: Examining mobile applications and web applications for hardcoded API endpoints
• Shared Intelligence: Leveraging community-maintained lists of vulnerable endpoints on forums and GitHub

Industry Sector Targeting Patterns

Our analysis reveals systematic targeting across multiple industry verticals, with telecommunications and authentication services comprising nearly half of all observed endpoints.

Phase 2: Tool Configuration

Modern SMS bombing tools require minimal setup:

• Multi-threading: Simultaneous requests to multiple APIs
• Proxy Support: Rotation of IP addresses to evade rate limiting
• Randomization: Variable delays between requests to appear more legitimate
• Persistence: Automatic retry mechanisms and error handling
• Reporting: Real-time statistics on successful message deliveries

Attacker Technology Stack Evolution

A detailed analysis of the ~20 repositories reveals significant technical sophistication and platform diversification:

Phase 3: Attack Execution

Once configured, the tool initiates a flood of legitimate-looking API requests.

Attack Vector Prevalence Analysis

Our analysis reveals the distribution of attack methods across the ~843 observed endpoints:

Technical Sophistication: Evasion Techniques

Analysis of the ~20 repositories reveals widespread adoption of anti-detection measures designed to bypass common security controls.

Impact Assessment

Individual Users

For end users targeted by SMS bombing attacks, the consequences include:

Impact Type	Description
Device Overload	Hundreds or thousands of incoming messages degrade device performance.
Communication Disruption	Legitimate messages are buried under spam, potentially leading to missed important notifications.
Inbox Capacity	SMS storage limits reached, preventing the receipt of new messages.
Battery Drain	Constant notifications deplete the affected device’s battery.
MFA Fatigue	Overwhelming authentication requests create security blind spots.
Data Harvesting	Prank sites for SMS bombing likely sell or reuse data for fraud or scams.

Organizations

Businesses whose APIs are exploited face multiple challenges:

Impact Category	Impact Type	Details
Financial Impact	Cost per OTP SMS	$0.05 to $0.20 per message
	Attack cost (10,000 messages)	$500 to $2,000 per attack
	Unprotected endpoints	Monthly bills can escalate to significant high amounts.
Operational Impact	User access issues	Legitimate users are unable to receive verification codes
	Customer service	Overwhelmed with complaints
	SMS delivery	Delays affecting all customers
	Regulatory compliance	Potential violations if users cannot access accounts
Reputational Impact	Media coverage	Negative social media coverage
	Customer trust	Erosion of customer confidence
	Brand damage	Association with spam and poor security
	Competitive position	Potential loss of business to competitors

Mitigation Strategies: Evidence-Based Recommendations

Based on analysis of successful bypass techniques across ~20 repositories, the following mitigation strategies are prioritized by effectiveness against observed attack patterns. Implementation of these controls addresses the primary exploitation vectors identified in our research.

For Service Providers (API Owners)

CRITICAL Priority

1. Implement Comprehensive Rate Limiting
Rationale	67% of targeted endpoints lack basic rate controls
Implementation	Per-IP Limiting: Maximum 5 OTP requests per hour. Per-Phone Limiting: Maximum 3 OTP requests per 15 minutes. Per-Session Limiting: Maximum 10 total verification attempts
Evidence	Would have blocked 81% of observed attack patterns

2. Deploy Dynamic CAPTCHA
Rationale	33% of tools exploit hardcoded reCAPTCHA tokens
Implementation	Use reCAPTCHA v3 with dynamic scoring. Rotate site keys regularly. Implement challenge escalation for suspicious behaviour
Evidence	Static CAPTCHA is defeated in most of the repositories

3. SSL/TLS Verification Enforcement
Rationale	75% of tools disable certificate validation to bypass security controls
Implementation	Enable HSTS (HTTP Strict Transport Security) headers, implement certificate pinning for mobile applications. Monitor and alert on certificate validation errors
Evidence	The most common evasion technique observed across repositories

HIGH Priority

Control	Rationale	Implementation Guidance
4. User-Agent Validation	58.3% of tools randomize User-Agent headers to evade detection	Maintain a whitelist of legitimate clients. Cross-validate User-Agent with other headers Flag mismatched browser/OS combinations
5. Request Pattern Analysis	Automated tools exhibit consistent timing patterns, unlike human behavior	Maintain a whitelist of legitimate clients. Cross-validate User-Agent with other headers. Flag mismatched browser/OS combinations
6. Phone Number Validation	Prevents abuse of number generation algorithms and invalid targets	Monitor for sub-100-ms request interval. Detect sequential API endpoint testing. Flag multiple failed CAPTCHA attempts

For Enterprises (API Consumers)

Mitigation Area	Recommended Actions
SMS Cost Monitoring	Set spending alerts at $100, $500, and $1,000 thresholds. Review daily SMS volumes for anomalies. Identify and investigate anomalous spikes immediately
Multi-Factor Authentication Hardening	Mandate rate-limiting requirements in service-level agreements Require CAPTCHA implementation on all OTP endpoints Request monthly security and abuse reports. Include SMS abuse liability clauses in contracts
Vendor Security Requirements	Mandate rate-limiting requirements in service-level agreements. Require CAPTCHA implementation on all OTP endpoints. Request monthly security and abuse reports. Include SMS abuse liability clauses in contracts

For Individuals

Protection Area	Recommended Actions
Number Protection	Document attack timing, volume, and sender information File police reports for harassment or threats. Request carrier assistance in blocking source numbers. Monitor all accounts for unauthorized access attempts
MFA Best Practices	Document attack timing, volume, and sender information. File police reports for harassment or threats. Request carrier assistance in blocking source numbers. Monitor all accounts for unauthorized access attempts
Incident Response	Prefer authenticator apps (Google Authenticator, Authy) over SMS Never approve unexpected or unsolicited MFA prompts. Contact the service provider immediately if SMS bombing occurs

Conclusion

The SMS/OTP bombing threat landscape has matured significantly between 2023 and 2026, evolving from simple harassment tools into sophisticated attack platforms with commercial distribution. Our analysis of ~20 repositories containing ~843 endpoints reveals systematic targeting across multiple industries and regions, with concentration in Iran (61.68%) and India (16.96%).

The emergence of Go-based high-performance tools, cross-platform GUI applications, and Telegram bot interfaces indicates the professionalization of this attack vector. With 75% of analyzed tools implementing SSL bypass and 58% using User-Agent randomization, defenders face sophisticated adversaries simultaneously employing multiple evasion techniques.

Organizations must prioritize comprehensive rate limiting, dynamic CAPTCHA implementation, and robust monitoring to achieve the projected 85%+ attack prevention effectiveness. The financial impact—potentially exceeding $50,000 monthly for unprotected endpoints—justifies immediate investment in defensive measures.

As the ecosystem continues to evolve, continuous monitoring of underground forums, repository activity, and emerging attack patterns remains essential for maintaining effective defenses against this persistent threat.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Initial Access	T1190	Exploit Public-Facing Application
Execution	T1059.006	Command and Scripting Interpreter
Defense Evasion	T1036.005	Masquerading: Match Legitimate Name or Location
Defense Evasion	T1027	Obfuscated Files or Information
Defense Evasion	T1553.004	Subvert Trust Controls: Install Root Certificate
Defense Evasion	T1090.002	Proxy: External Proxy
Credential Access	T1110.003	Brute Force: Password Spraying
Credential Access	T1621	Multi-Factor Authentication Request Generation
Impact	T1499.002	Endpoint Denial of Service: Service Exhaustion Flood
Impact	T1498.001	Network Denial of Service: Direct Network Flood
Impact	T1496	Resource Hijacking

The post SMS & OTP Bombing Campaigns: Evolving API Abuse Targeting Multiple Regions appeared first on Cyble.

Executive Summary

Cyble Research & Intelligence Labs (CRIL) has identified a Linux intrusion chain leveraging a highly obfuscated, fileless loader that deploys a weaponized variant of hackshell entirely from memory. Cyble tracks this activity under the name ShadowHS, reflecting its fileless execution model and lineage from the original hackshell utility. Unlike conventional Linux malware that emphasizes automated propagation or immediate monetization, this activity prioritizes stealth, operator safety, and long‑term interactive control over compromised systems.

The loader decrypts and executes its payload exclusively in memory, leaving no persistent binary artifacts on disk. Once active, the payload exposes an interactive post‑exploitation environment that aggressively fingerprints host security controls, enumerates defensive tooling, and evaluates prior compromise before enabling higher‑risk actions. While observed runtime behaviour remains deliberately conservative, payload analysis reveals a broad set of latent capabilities, including fingerprinting, credential access, lateral movement, privilege escalation, cryptomining, memory inspection, and covert data exfiltration.

Notably, the framework includes operator‑driven data exfiltration mechanisms that avoid traditional network transports altogether, instead abusing user‑space tunneling to stage or extract data in a manner designed to evade firewall controls and endpoint monitoring.

This clear separation between restrained runtime behaviour and extensive dormant functionality strongly suggests deliberate operator tradecraft rather than commodity malware logic. Overall, the activity reflects a mature, multi‑purpose Linux post‑compromise platform optimized for fileless execution, interactive control, and situationally adaptive expansion.

Key Takeaways

• The payload is not a standalone malware binary but a weaponized post-exploitation framework, derived from hackshell and adapted for long-term, interactive operator use.
• Incorporates fileless execution as its core design principle. The payload executes from anonymous file descriptors, spoofs argv[0], and avoids persistent filesystem artifacts, significantly complicating detection and forensic reconstruction.
• Runtime behaviour is intentionally restrained. The payload initially focuses on environmental awareness, security control discovery, and operator safety, while destructive or noisy actions remain dormant unless explicitly invoked.
• The framework includes covert, operator‑initiated data staging and exfiltration primitives that abuse user‑space tunneling and legitimate administrative tooling, enabling stealthy data movement even in tightly restricted network environments.
• The presence of extensive EDR/AV fingerprinting, kernel integrity checks, and in-memory malware detection suggests the operator expects to operate in defended enterprise environments rather than opportunistic or unmanaged systems.
• Dormant modules for credential access, lateral movement, crypto-mining, and anti-competition cleanup indicate that the payload can be dynamically repurposed based on operator intent, without altering the loader or redeploying artifacts.
• Overall, the tradecraft observed aligns more closely with advanced intrusion tooling or red-team frameworks than with commodity Linux malware, emphasizing flexibility, stealth, and manual control over automation.

Technical Analysis

The analyzed intrusion chain consists of two primary components:

1. A multi-stage, encrypted shell loader responsible for payload decryption, reconstruction, and fileless execution.
2. An in-memory payload that resolves to a heavily modified version of hackshell, weaponised into a full-featured operator framework. It can download other malware components (such as kernel exploits, cryptominer, and fingerprinting modules) as required by the operator.

Design choices observed throughout the chain—including encrypted embedded payloads, execution context awareness, argv spoofing, and extensive OPSEC logic—indicate a toolset intended for controlled post‑exploitation rather than mass exploitation. The framework enables operators to assess host posture, remain undetected for extended periods, and selectively activate additional capabilities.

The infection flow begins with execution of the obfuscated shell loader, which decrypts an embedded payload using AES‑256‑CBC, reconstructs it in memory, and executes it directly via /proc/<pid>/fd/<fd>. At no stage is the payload written to disk.

Once executed, the payload initializes an interactive shell environment. From this point forward, all activity is explicitly operator‑driven. Rather than automatically deploying miners, extracting data, or attempting propagation, the framework prioritizes reconnaissance, defensive awareness, and operational security. Advanced actions—such as covert data exfiltration using user‑space tunnels, credential harvesting, or privilege escalation—are available on demand, reinforcing that this tooling is designed for deliberate, long‑term intrusion operations rather than noisy, automated campaigns.

At first glance, the malware appears to contain 3 lines of heavily obfuscated shell code, where we see a high-entropy payload assigned to the special shell variable _ & staged text-encoded payload staged and emitted via shell escape processing ($'...'). (See Figure 1)

Loader Script

Upon analysis, it turned out to be a multi-stage, encrypted Linux loader with embedded payload written in POSIX shell, leveraging OpenSSL, Perl, and gzip to decrypt, decompress, and execute a payload entirely in memory. (See Figure 2)

The malware demonstrates tradecraft consistent with mature red-team tooling or advanced post-compromise frameworks, rather than commodity botnet loaders. Key characteristics include:

• Password-protected AES-256-CBC encrypted payload
• Dynamic execution path detection (source vs eval vs exec)
• Fileless execution with argv spoofing
• Environment hardening to evade logging
• Live system security introspection
• Operator-facing interactive CLI

Dependency Validation

Upon execution, the loader validates runtime dependencies (openssl, perl, gunzip) required for decryption and decompression. The absence of any fallback logic suggests targeted, operator-controlled attacks rather than opportunistic mass exploitation. (See Figure 3)

Credential-Based Payload Decryption

The loader contains an embedded Base64-encoded password and an encrypted control blob, both of which are decrypted using OpenSSL. During execution, the decrypted value (R=4817) is used as a byte offset to skip a binary header during stream reconstruction. The decryption command is dynamically assembled at runtime:

echo S1A76XhLvaqIQ+7WsT+Euw== | openssl enc -d -aes-256-cbc -md sha256 -nosalt -k C-92KemmzRUsREnkdk-SMxUoJy8yHhmItvA -a -A

This ensures that the compressed payload cannot be recovered statically without the full execution context.

Execution Context Awareness

Execution culminates in an interactive post-exploitation environment that explicitly minimizes filesystem artifacts, enumerates system security posture, and adapts execution based on shell context (Bash/Zsh). (See Figure 4)

The loader dynamically determines how it was invoked in order to guarantee correct payload execution — a pattern uncommon in commodity malware but common in operator-driven frameworks :

• Source execution: $BASH_SOURCE[0]
• Eval execution: $BASH_EXECUTION_STRING
• Direct file execution: $0
• Zsh compatibility: $ZSH_EVAL_CONTEXT

Payload Reconstruction & Fileless Execution

The payload is reconstructed through a multi-stage decoding pipeline consisting of Perl marker translation, AES-256-CBC decryption, Perl byte skipping (R=4817), and gzip decompression. The resulting binary is executed directly from memory via /proc/<pid>/fd/<f> using exec, with a spoofed argv[0] (${0:-python3}) (See Figure 5)

This ensures the payload never touches disk, evades file-integrity monitoring and traditional AV inspection, and obscures process attribution during incident response.

Importantly, all arguments passed to the loader are forwarded to the payload unchanged. This enables operator-controlled execution modes and on-demand behavior while keeping the loader's behavior static—a deliberate tradecraft choice that complicates detection strategies that rely on argument patterns.

Weaponized Hackshell

Once decrypted and executed directly from memory, the payload resolves to a heavily modified variant of hackshell, repurposed from a lightweight post-exploitation helper into a fully operator-driven intrusion framework. At runtime, it presents an interactive shell and explicitly signals that it avoids filesystem writes, immediately establishing intent for long-lived, low-noise operator interaction rather than smash-and-grab activity.

Payload Capabilities

The payload begins by fingerprinting the host and reporting environmental context back to the operator, including OS details, active users, PTYs, and privilege boundaries. This early-stage reconnaissance indicates that the operator is expected to make informed manual decisions rather than rely on fully automated tasking. (See Figure 6)

Expanded EDR / AV fingerprinting

The payload performs aggressive EDR and AV discovery using both filesystem path checks and service-state enumeration. Compared to upstream hackshell, this variant significantly expands coverage to include commercial EDR platforms, cloud agents, OT/ICS tooling, and telemetry collectors.

• Notable file-path-based detections (_hs_chk_fn) include CrowdStrike, LimaCharlie, Tanium, OTEL collectors, cloud vendor agents (Qcloud, Argus agent). (See Figure 7.1)
• Service-based detections (_hs_chk_systemd) include Falcon Sensor,  Cybereason, Elastic Agent, Sophos Intercept X & SPL, Cortex XDR, WithSecure, Wazuh, Rapid7, and Microsoft Defender (mdatp). (See Figure 7.2)

These checks are surfaced directly to the operator, reinforcing that this is an interactive intrusion tool rather than a background implant.

Anti-competition Logic

The malware implements robust anti-competition logic designed to identify and terminate rival miners and in-memory implants. It actively hunts for competing malware families such as Rondo and Kinsing, detects kernel rootkits via LKM and kernel-taint checks, and enumerates deleted or memfd-backed executables.

The payload collects PIDs associated with XMRig miners, UPX-packed binaries, and related scripts. It contains explicit logic to detect and kill Ebury — a well-known OpenSSH credential-stealing backdoor targeting Linux servers.

In parallel, the framework performs deep security posture introspection by enumerating kernel protections such as AppArmor, inspecting loaded kernel modules, and surveying /proc for indicators of instrumentation or prior compromise.

This enables the operator to rapidly assess whether the host is already infected, monitored, or hardened. (See Figure 8)

PATH manipulation, combined with TMPDIR and HOME relocation, further enables command shadowing and the execution of helper binaries from memory-backed locations, reducing forensic residue and enhancing operational flexibility.

Dormant / On‑Demand Capabilities

While runtime execution remains restrained, analysis of the payload code reveals a broad set of dormant capabilities that can be invoked on demand via operator commands or invocation arguments.

Notable on-demand capabilities include:

• Execution gating via _once() to ensure certain actions run only once per host or session.
• Memory dumping routines capable of extracting & dumping credentials/secrets from live processes. (See Figure 9)

• SSH-based network scanning and lateral movement tooling, including support for legacy cryptographic algorithms. (See Figure 10)

• Credential theft targeting AWS credentials, SSH keys, GitLab, Bitrix database, WordPress database, OpenStack user data, Yandex Cloud user data, Docker, Proxmox VMs and LXC, OpenVZ, and user HOME directory.
• Privilege escalation via execution of exploits downloaded from hardcoded C2 infrastructure. During analysis, multiple kernel exploits, an auto-exploitation script & a C source file were recovered from the C2 server. (Hashes mentioned in the IOC section) (See Figure 11)

Cryptomining

The framework implements multiple CPU and GPU cryptocurrency mining workflows, including XMRig, XMR-Stak, GMiner, and lolMiner, with pool failover logic. Miner configuration dynamically sources worker identifiers from bootcfg*.data files and executes miners through a wrapper (./-bash-screen) using password strings such as c=XMR,mc=${COIN_NAME}, where COIN_NAME defaults to "${1:-FREN}".

GMiner operates using the Kawpow algorithm with configured intensity, while additional miners target RYO and ETCHASH using CUDA backends and hardcoded wallet addresses and pools, including infrastructure at 204.93.253[.]180. (See Figure 12)

• GMiner implemented in gpu() uses kawpow algorithm with 75 intensity
  • Wallet address – 88H9UmU6QyYiGeZdR6hXZJXtJF9Z8zLHDQbC1NV1PDdjCynBq3QKzB1fo1NRhgMX4cBx68Rva5msyKW3PGXfPhCA4itHmiv
  • 87YLCx7zEFghgMEeZvJCZ3gHyS3fUsbAnXSTH8nh8EP7SeptPH8Pnh18snravwhE3dfRt5x67aWo8e6tSJ2cv4mpRNkSdqL

• Pool priority used by miner
  • 204.93.253[.]180 at port 4080
  • Kawpow.na.mine.zergpool[.]com at port 3638
  • Kawpow.asia.mine.zergpool[.]com at port 3638
  • kawpow.eu.mine.zergpool[.]com at port 3638

The other 2 miners’ details are:

• XMR-Stak (gpustak())
  • Wallet address – RYoNsBiFU6iYi8rqkmyE9c4SftzYzWPCGA3XvcXbGuBYcqDQJWe8wp8NEwNicFyzZgKTSjCjnpuXTitwn6VdBcFZEFXLcY4DwEsWGnj1SC1Sgq
  • Backend - CUDA (libxmrstak_cuda_backend.so)
  • Coin payout – RYO
  • Pool server - 204.93.253[.]180:3080

• LolMiner (gpuecho())
  • Wallet address – 0xd67f158b2bcc819eee7029f3477f0270ec1d37b4
  • Algorithm – ETCHASH
  • Pool server - 204.93.253[.]180:1080

Covert Data Staging and Exfiltration via GSocket‑Backed rsync

The payload implements dedicated data staging helpers (rs() and rs1()) that enable stealthy exfiltration of files or directories from the compromised host using rsync, while deliberately avoiding conventional network transports such as SSH, SCP, or SFTP. Instead of relying on standard TCP connections, the payload replaces rsync's transport layer via the -e option with GSocket user‑space tunnels (gs-dbus and gs-netcat), allowing file transfers to traverse covert channels that are rarely monitored by security tooling.

Both functions route traffic through a hardcoded GSocket rendezvous endpoint (62.171.153[.]47) and authenticate sessions using an operator‑supplied token ($rsynccode). The apparent destination (127.1:.) is intentionally misleading. However, it resembles a loopback address; the connection is intercepted by GSocket before reaching the local networking stack, enabling remote file transfer without opening inbound ports or establishing visible outbound sessions. This technique allows the operator to exfiltrate data even from hosts protected by restrictive firewall or egress filtering policies.

Two transport variants are provided. The rs() function leverages DBus‑based tunneling (gs-dbus), favoring stealth in environments where DBus traffic is common and rarely inspected. The rs1() variant uses a netcat‑style GSocket tunnel (gs-netcat), offering higher throughput for bulk transfers at the cost of slightly increased visibility. (See Figure 13)

Both modes preserve file permissions, timestamps, and partial transfer state, indicating deliberate support for long‑running, interruption‑tolerant exfiltration workflows rather than opportunistic data theft.

Lateral Movement

For lateral movement, the malware performs automated discovery and brute-force attempts against SSH services by using open-source tools.

• Rustscan, a modern port scanner used to identify reachable SSH endpoints (with configurable target) and output the result in oG format (output Greppable), meant to be consumed by spirit. This serves as an attack surface for brute-force attacks.
• Next, it downloads & extracts spirit (another penetration testing tool) to the local directory, renames it to –bash, cleans up artifacts, & runs it to grab banners (to determine version info.) & brute-force SSH logins against hosts in h.lst using default credentials. (See Figure 14)

Integrated Assessment

The payload exhibits a deliberate dual-layer design. The default runtime layer emphasizes reconnaissance, memory-only execution, stealth, and interactive control. The dormant, on-demand layer enables crypto-mining, privilege escalation, memory theft, covert staging & exfiltration, lateral movement, and C2-driven updates, allowing operators to expand impact opportunistically without increasing detection surface.

Combined with the loader's fileless execution model, this malware is optimized for long-term presence, operational flexibility, and defensive evasion. It is not characteristic of commodity Linux malware; instead, it reflects a mature, multi-purpose post-exploitation framework built around interactive operator control.

Conclusion

Together, the loader and payload analyzed in this report demonstrate a highly mature Linux post‑exploitation framework designed for stealth, flexibility, and long-term operator control.

Rather than focusing on immediate or obvious impact, the malware emphasizes situational awareness, evasion of defenses, and the selective activation of capabilities based on real-time operator judgment and environmental factors.

This behavior is unusual for standard Linux malware. Instead, it shows intentional design choices typical of advanced intrusion tools, prioritizing operational safety, flexibility, and durability over automation and scale.

The framework's comprehensive security review, along with its fileless execution approach, argument-driven modularity, and operator-controlled data movement methods, allows customized per-host operations while keeping a consistently low-profile execution environment.

The weaponization of the original hackshell utility further highlights this intent. Equipped with features for cryptomining, lateral movement tools, exploit delivery methods, covert data staging, and exfiltration primitives, along with aggressive OPSEC measures, the payload is clearly meant for long-term access and targeted monetization rather than widespread distribution.

Therefore, effective detection and disruption require visibility into in-memory execution, process behavior, and kernel-level telemetry, as traditional file-based and signature-driven controls are unlikely to offer enough coverage against this type of threat.

Cyble's Threat Intelligence Platforms continuously monitor emerging threats, phishing infrastructure, and malware activity across the dark web, deep web, and open sources. This proactive intelligence empowers organizations with early detection, brand and domain protection, infrastructure mapping, and attribution insights. Altogether, these capabilities provide a critical head start in mitigating and responding to evolving cyber threats.

Our Recommendations

We have listed some essential cybersecurity best practices that serve as the first line of defense against attackers. We recommend that our readers follow the best practices given below:

Defenders should prioritize behavioral detection over static signatures for staying protected against attacks like ShadowHS

• Execution of ELF binaries from /proc/<pid>/fd/<fd>
• OpenSSL decryption invoked from shell or Perl pipelines reconstructing executables.
• Full execution strings from bash‑memory and Perl one‑liners invoking syscalls.
• Shell scripts performing dependency validation for openssl, perl & gunzip.
• Extensive enumeration of /proc/*/exe for deleted or memfd-backed binaries
• GDB is being invoked against live processes for memory dumping
• PATH prefixed with . in interactive shells
• Abuse of legitimate synchronization or transfer utilities over non‑standard execution transports for data staging or exfiltration.
• Monitor for argv spoofing anomalies where executable path is not equal to the cmdline name & alert on memory-only processes, specifically interactive shells running without backing executables.
• Monitor perl exec{} pattern with anonymous file descriptors.
• Add rules for AES-CBC -nosalt misuse in shell pipelines.
• Track outbound data transfers initiated via user‑space tunnels or non‑standard rsync transports.

Cloud & Container Environments

This framework explicitly checks for cloud agents and monitoring tools. In cloud-hosted Linux environments:

• Treat unexpected /proc scanning and kernel module enumeration as high-risk
• Monitor for SSH brute‑force or reconnaissance tooling launched post‑compromise (e.g., rustscan, spirit)
• Watch for GPU utilization spikes tied to hidden –bash-screen sessions
• Alert on data movement from compute workloads using atypical synchronization or tunnelling mechanisms.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Procedure
Execution	T1059.004 – Command and Scripting Interpreter: Unix Shell	The loader and payload are implemented entirely in POSIX shell and Perl, enabling execution through standard shell interpreters without introducing foreign binaries.
Execution	T1620 – Reflective Code Loading	The payload is decrypted, decompressed, and executed directly from memory via anonymous file descriptors under /proc/<pid>/fd/, never touching disk.
Defense Evasion	T1036.005 – Masquerading: Match Legitimate Name or Location	The payload spoofs argv[0] to match the loader script name, causing process listings and /proc/<pid>/cmdline to resolve to a benign-looking script.
Defense Evasion	T1070 – Indicator Removal on Host	The payload aggressively disables shell history, cleans command artifacts, relocates HOME/TMPDIR, and avoids filesystem writes to minimize forensic traces.
Defense Evasion	T1562.001 – Impair Defenses: Disable or Modify Tools	The framework detects EDR/AV tooling and exposes operator functions that can terminate competing malware, miners, or defensive agents.
Discovery	T1082 – System Information Discovery	The payload collects OS, kernel, user sessions, PTYs, and privilege context to inform operator decision-making during interactive access.
Discovery	T1083 – File and Directory Discovery	Extensive inspection of /proc and system paths is performed to enumerate executables, deleted binaries, and memory-backed artifacts.
Discovery	T1518.001 – Software Discovery: Security Software	The payload performs both path-based and service-based discovery for dozens of EDR, AV, cloud agents, OT tools, and log shippers.
Discovery	T1016.001 – Network Service Discovery	Dormant scanning modules support SSH discovery and enumeration of reachable services for potential lateral movement.
Credential Access	T1555 – Credentials from Password Stores	Memory-dump routines present in the payload enable the extraction of credentials and secrets from live processes when invoked by the operator.
Lateral Movement	T1021.004 – Remote Services: SSH	SSH-based access and pivoting are supported, including forced use of legacy cryptographic algorithms to access older infrastructure.
Collection	T1005 – Data from Local System	Interactive operator commands allow targeted collection of host data, process information, and sensitive artifacts without bulk exfiltration.
Exfiltration	T1048.003 - Exfiltration Over Alternative Protocol	Data can be staged or exfiltrated using legitimate synchronization utilities over user‑space tunnels, avoiding traditional C2 channels.
Impact	T1496 – Resource Hijacking	Dormant CPU/GPU mining modules can be activated on demand, supporting multiple miners and pool configurations.

Indicators of Compromise (IOCs)

Indicators	Indicator Type	Description
91.92.242[.]200	IPv4	Primary payload staging infrastructure
62.171.153[.]47	IPv4	Operator-controlled relay for exfiltration and post-compromise operations
20c1819c2fb886375d9504b0e7e5debb87ec9d1a53073b1f3f36dd6a6ac3f427	SHA-256	Main obfuscated shell loader script
9f2cfc65b480695aa2fd847db901e6b1135b5ed982d9942c61b629243d6830dd	SHA-256	Custom weaponized hackshell payload
148f199591b9a696197ec72f8edb0cf4f90c5dcad0805cfab4a660f65bf27ef3	SHA-256	RustScan port scanner
574a17028b28fdf860e23754d16ede622e4e27bac11d33dbf5c39db501dfccdc	SHA-256	spirit-x86_64.tgz archive
3f014aa3e339d33760934f180915045daf922ca8ae07531c8e716608e683d92d	SHA-256	spirit/-bash (UPX-packed binary)
847846a0f0c76cf5699342a066378774f1101d2fb74850e3731dc9b74e12a69d	SHA-256	spirit/-bash (unpacked Golang binary)
5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6	SHA-256	gpu1/screen miner wrapper
e11bcba19ac628ae1d0b56e43646ae1b5da2ccc1da5162e6719d4b7d68d37096	SHA-256	gpu1/lol miner component
0bb7d4d8a9c8f6b3622d07ae9892aa34dc2d0171209e2829d7d39d5024fd79ef	SHA-256	xmr/xmrigremove.sh
9fdaf64180b7d02b399d2a92f1cdd062af2e6584852ea597c50194b62cca3c0b	SHA-256	gpustak/-bash binary
b3ee445675fce1fccf365a7b681b316124b1a5f0a7e87042136e91776b187f39	SHA-256	gpustak/libxmrstak_cuda_backend.so CUDA backend
5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6	SHA-256	gpustak/screen miner wrapper
5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6	SHA-256	gpuecho/screen miner wrapper
3ba88f92a87c0bb01b13754190c36d8af7cd047f738ebb3d6f975960fe7614d6	SHA-256	gpuecho/lol miner component
5a6b08d42cc8296b32034b132bab18d201a48c1628df3200e869722506dd4ec6	SHA-256	gpu/screen miner wrapper
e11bcba19ac628ae1d0b56e43646ae1b5da2ccc1da5162e6719d4b7d68d37096	SHA-256	gpu/lol miner component
4069eaadc94efb5be43b768c47d526e4c080b7d35b4c9e7eeb63b8dcf0038d7d	SHA-256	ex/dirtycredz.x86_64 credential exploitation tool
72023e9829b0de93cf9f057858cac1bcd4a0499b018fb81406e08cd3053ae55b	SHA-256	ex/payload.so shared object payload
662d4e58e95b7b27eb961f3d81d299af961892c74bc7a1f2bb7a8f2442030d0e	SHA-256	ex/overlay helper component
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	SHA-256	ex/GCONV_PATH=./lol empty placeholder file
c679b408275f9624602702f5601954f3b51efbb1acc505950ee88175854e783f	SHA-256	ex/payload.c payload source code
666122c39b2fd4499678105420e21b938f0f62defdbc85275e14156ae69539d6	SHA-256	ex/blast exploitation utility
8007b94d367b7dbacaac4c1da0305b489f0f3f7a38770dcdb68d5824fe33d041	SHA-256	ex/dp Dirty Pipe exploit
072e08b38a18a00d75b139a5bbb18ac4aa891f4fd013b55bfd3d6747e1ba0a27	SHA-256	ex/ubu privilege escalation helper
6c50fcf14af7f984a152016498bf4096dd1f71e9d35000301b8319bd50f7f6d0	SHA-256	ex/cve-2025-21756 exploit binary
04a072481ebda2aa8f9e0dac371847f210199a503bf31950d796901d5dbe9d58	SHA-256	ex/traitor-x86_64 privilege escalation tool
19df5436972b330910f7cb9856ef5fb17320f50b6ced68a76faecddcafa7dcd7	SHA-256	ex/autoroot.sh automated root escalation script
7fbab71fcc454401f6c3db91ed0afb0027266d5681c23900894f1002ceca389a	SHA-256	ex/dirtypipe.x86_64 Dirty Pipe exploit variant
e5a6deec56095d0ae702655ea2899c752f4a0735f9077605d933a04d45cd7e24	SHA-256	ex/dirtypagetable.x86_64 kernel exploitation tool
7361c6861fdb08cab819b13bf2327bc82eebdd70651c7de1aed18515c1700d97	SHA-256	ex/lol/gconv-modules GCONV-based exploitation component

The post ShadowHS: A Fileless Linux Post‑Exploitation Framework Built on a Weaponized hackshell appeared first on Cyble.

Executive Summary

deVixor is an actively developed Android banking malware campaign operating at scale, targeting Iranian users through phishing websites that masquerade as legitimate automotive businesses.

Distributed as malicious APK files, deVixor has evolved from a basic SMS-harvesting threat into a fully featured Remote Access Trojan (RAT) that combines banking fraud, credential theft, ransomware, and persistent device surveillance within a single platform.

Active since October 2025, Cyble Research and Intelligence Lab’s (CRIL) analysis of over 700 samples indicates with high confidence that the threat actor has been conducting a mass infection campaign leveraging Telegram-based infrastructure, enabling centralized control, rapid updates, and sustained campaign evolution.

Key Takeaways

• deVixor is a sophisticated Android banking trojan that combines financial data theft, device surveillance, and remote control into a single malware platform.
• The malware is actively distributed through fake websites posing as legitimate automotive businesses, tricking users into installing malicious APK files.
• deVixor extensively harvests SMS-based financial information, including OTPs, account balances, card numbers, and messages from banks and cryptocurrency exchanges.
• It leverages WebView-based JavaScript injection to capture banking credentials by loading legitimate banking pages inside a WebView.
• The malware includes a remotely triggered ransomware module capable of locking devices and demanding cryptocurrency payments.
• deVixor uses Firebase for command delivery and Telegram-based bot infrastructure for administration, allowing attackers to manage infections at scale and evade traditional detection mechanisms.

Overview

Android banking malware has progressed well beyond basic credential-harvesting threats, evolving into sophisticated remote access toolkits maintained as persistent, service-driven criminal operations.

During our ongoing analysis of malicious sites, we uncovered deVixor, a previously underreported Android Remote Access Trojan (RAT) actively distributed via fraudulent websites masquerading as legitimate automotive companies.

These sites lure victims with heavily discounted vehicle offers and trick them into downloading a malicious APK, which ultimately installs the deVixor malware on the device.

Some of the malicious URLs distributing deVixor RAT are:

• hxxp://asankhodroo[.]shop
• hxxp://www[.]asan-khodro.store
• hxxp://www[.]naftyar.info/naftman.apk
• hxxp://abfayar[.]info/abfa.apk
• hxxps://blupod[.]site/blupod.apk
• hxxps://naftman[.]oghabvip.ir/naftman.apk
• hxxp://vamino[.]online.infochatgpt.com/vamino.apk
• hxxps://lllgx[.]site/mm/V6.apk

CRIL identified more than 700 samples of multiple variants of the deVixor RAT from October 2025. Early versions of the malware exhibited limited functionality, primarily focused on collecting PII and harvesting banking-related SMS messages.

Subsequent variants showed a clear evolution in capabilities, introducing banking-focused overlay attacks, keylogging, ransomware attacks, Google Play Protect bypass techniques, and extensive abuse of Android’s Accessibility Service.

Our investigation also uncovered a Telegram channel operated by the threat actor, which was created shortly after the initial development of deVixor RAT and was actively used to publish version updates, promote new capabilities, and share operational screenshots.

Notably, screenshots posted in the channel reveal numerous devices that are simultaneously infected, each associated with a unique Bot ID (referred to by the actor as a “Port”), suggesting an active campaign operating at scale.

The channel’s growing subscriber base further supports the assessment that deVixor is being maintained and distributed as an ongoing criminal service rather than a short-lived operation. (See Figures 1, 2, and 3)

The deVixor RAT leverages a Telegram bot–based administrative panel for issuing commands. Each deployed APK is assigned a unique Bot ID stored in a local port.json file, enabling the operator to track, monitor, and control individual infected devices.

Once registered, the operator receives real-time updates via Telegram and can issue commands that are relayed to infected devices through backend infrastructure. Figure 4 illustrates the available administrative actions and operational updates as observed in the threat actor’s Telegram channel. (see Figure 4)

Multiple indicators suggest that the campaign is regionally focused. Linguistic artifacts observed in Telegram communications, operator messages, and hardcoded strings within the APK, combined with the exclusive targeting of Iranian banks, domestic payment services, and local cryptocurrency exchanges, strongly indicate that Iranian users are the primary targets of this operation. The use of Persian-language user interface elements in phishing overlays further reinforces this assessment.

DeVixor demonstrates how modern Android banking malware has evolved into a scalable, service-driven criminal platform capable of compromising devices over the long term and facilitating financial abuse.

Its active development, growing feature set, and reliance on legitimate platforms such as Telegram for command-and-control pose a significant risk to Android users. The next section provides a detailed technical analysis of deVixor RAT’s functionality, command structure, and abuse mechanisms observed across multiple variants.

Technical Analysis

Upon installation, the deVixor RAT prompts victims to grant permissions to access SMS messages, contacts, and files. In newer variants, it additionally requests Accessibility service permissions. (see Figure 5)

Once the required permissions are granted, the malware establishes communication with Firebase to receive commands from the threat actor. In parallel, deVixor decrypts a hardcoded alternate Command-and-Control (C&C) server URL, which is used to exfiltrate the collected data.

Overall, deVixor relies on two distinct servers for its operations: (see Figure 6)

• Firebase server – used for receiving commands
• C&C server – used for transmitting stolen data

Bank Information Harvesting

The deVixor RAT uses multiple techniques to steal banking information. One of its main approaches involves collecting banking-related data from SMS messages. In addition, deVixor leverages a WebView injection technique to redirect victims to banking pages, where JavaScript-based injections are used to capture login credentials and other sensitive financial information.

SMS-Based Banking Data Harvesting

deVixor has implemented multiple commands to harvest banking information, including card details, bank balance amounts, SMSs coming from banks and crypto applications, and OTPs:

GET_BANK_BALANCE Command

The command scans up to 5,000 SMS messages on the infected device to identify banking-related content, extract account balances and OTPs, and associate them with known Iranian banks using a hardcoded set of sender and bank keyword signatures.

It applies regular expressions to parse balances and OTP codes, checks whether the corresponding official banking applications are installed, and exfiltrates the results as a structured JSON response under the GET_ACCOUNT_SUMMARY command.

The report includes the bank name, balance, OTP availability and value, app installation status, and the total number of identified banks. (see Figure 7)

GET_CARD_NUMBER Command

Similar to the previous command, deVixor scans all SMS messages in the infected device’s inbox to identify credit and debit card numbers. It uses regular expressions to detect and validate card numbers, then exfiltrates the extracted information to the C&C server.

GET_EXCHANGE Command

This command scans the victim’s SMS inbox for messages originating from cryptocurrency exchanges and payment services. It extracts recent messages for each identified sender and exfiltrates the collected data to the C&C server. The malware specifically targets SMS messages associated with the following cryptocurrency exchanges (see Figure 8)

• Binance
• CoinEx
• Ramzinex
• Exir
• Tabdeal
• Bitbarg
• TetherLand
• AbanTether
• OkExchange
• ArzDigital
• IranCryptoMarket
• Cryptoland
• Bitex
• Excoino

GET_BANK_SMS Command

Similar to the GET_EXCHANGE command, this command collects the most recent SMS messages sent by known banks and payment services. The harvested messages are returned to the C&C server as a structured JSON response labeled GET_BANK_SMS. Below is the list of banks and payment services targeted by deVixor (see Figure 9)

• Bank Melli Iran
• Bank Mellat
• Bank Tejarat
• Bank Saderat Iran
• Bank Sepah
• Bank Maskan
• Bank Keshavarzi
• Bank Refah
• Bank Pasargad
• Bank Parsian
• Bank Ayandeh
• Bank Saman
• Bank Sina
• Bank Dey
• Post Bank Iran
• Middle East Bank
• Iran Zamin Bank
• Eghtesad Novin Bank
• Karafarin Bank
• Shahr Bank
• Hekmat Iranian Bank
• Industry & Mine Bank
• Export Development Bank of Iran
• Tavon Bank
• BluBank
• Iran Kish

This SMS-based financial information harvesting enables attackers to carry out banking fraud and account takeovers, leading to wallet draining and significant financial losses for victims.

Fake Bank Notification and Credential Harvesting

deVixor uses the “BankEntryNotification” command to generate fraudulent bank notifications designed to lure users into interacting with them. When a victim taps the notification, the malware loads a legitimate banking website inside a WebView and injects malicious JavaScript into the login forms.

Once the user enters their username and password and clicks the login button, the credentials are silently exfiltrated to the C&C server. The figure below illustrates the JavaScript injection technique used for credential harvesting. (see Figure 10)

Ransomware Activity

The deVixor RAT includes an embedded ransomware module that can be remotely triggered using the “RANSOMWARE” command. Upon receiving this command, the malware parses the attacker-supplied parameters, including the ransom note, a TRON cryptocurrency wallet address, and the demanded payment amount.

These details are stored locally in a file named LockTouch.json, which serves as a persistent configuration file to retain the ransomware state across device reboots. The malware then sets an internal locked status and prepares the ransom metadata used by the lock-screen component.

Based on screenshots shared on the threat actor’s Telegram channel, deVixor locks the victim’s device and displays a ransom message stating “Your device is locked. Deposit to unlock”, along with the attacker’s TRON wallet address and a demand of 50 TRX.

The malware also generates a response containing device identifiers and ransom-related details, which is sent back to the C&C server to track victim status and potential compliance. (see Figure 11)

This functionality demonstrates that deVixor is capable of conducting financial extortion, in addition to its existing capabilities for credential theft and user surveillance.

In addition to the features described above, the malware is capable of collecting all device notifications, capturing keystrokes, preventing uninstallation, hiding its presence, harvesting contacts, and taking screenshots. We’ve compiled a full list of supported commands below:

deVixor v1 and v2 Commands

V1 Commands	V2 Commands	Description
RUN_USSD:	RUN_USSD:	Execute USSD request
SET_OF_MOD:	SEARCH_APP:	Finds the targeted application installed on the device
-	SEARCH_ALL_SMS	Search SMSs with the keywords, store the result in sms_search_keyword.txt, and send the file to the server.
BankEntryNotification:	BankEntryNotification:	Generate a fake Bank notification to initiate bank login activity and harvest credentials using JavaScript injection.
-	SET_WARNING_BANK:	Displays a fake bank security warning to trick users into logging in on fraudulent banking pages.
CHANGE_SERVER:	CHANGE_SERVER:	Change C&C server
CHANGE_FIREBASE:	CHANGE_FIREBASE:	Change the Firebase server
-	RANSOMWARE:	Initiate Ransomware Activity
SEND_SMS:	SEND_SMS:	Send SMS to the number received from the server
SEND_SMS_TO_ALL:	SEND_SMS_TO_ALL:	Send SMS to all the contacts saved in the infected device
GET_HISTORY_SMS:	GET_HISTORY_SMS:	Saves all SMSs from the infected device to chat_history_*.txt and sends it to the server
ADD_CONTACT:	ADD_CONTACT:	Insert the contact into the infected device's contact list
IMPORT_VCF	IMPORT_VCF	Collects the vCard file
GET_CAMERA_PHOTOS	GET_CAMERA_PHOTOS	Collects pictures captured using the camera
-	GET_ALL_SENT_SMS	Collects sent sms history
-	NOTIFICATION_READER	Collect notifications
UNHIDE	UNHIDE	Appears again in the applications
SET_VIBRATE	SET_VIBRATE	SET_VIBRATION_MODE
-	BANK_WARNING	Collect the active fake bank warning list.
ONCHANGE	ONCHANGE	Disguise as a YouTube app
GET_APPS	GET_APPS	Collects the application package list
-	GET_GOLD	Collecting SMSs that are coming from the mentioned mobile numbers
SMS_TO_ALL	SMS_TO_ALL	Collects SIM information
GET_BANK_BALANCE	GET_BANK_BALANCE	Collects bank balance from SMSs
GET_BNC_APPS	GET_BNC_APPS	Collects the banking application list
-	GET_ALL_RECEIVED_SMS	Collects all received SMSs
GET_SIM_SMS	GET_SIM_SMS	Get SIM information
HIDE	HIDE	Hides application
TAKE_SCREENSHOT	TAKE_SCREENSHOT	Captures Screenshot
-	REMOVE_RANSOMWARE	Remove Ransomware Overlay
GET_DEVICE_INFO	GET_DEVICE_INFO	Collects device information
SET_SOUND	SET_SOUND	Set notification sound
OFFCHANGE	OFFCHANGE	Disable disguise and appear using the original app icon
GET_EXCHANGE	GET_EXCHANGE	Collect SMSs related to crypto exchange and financial services
GET_IPS	GET_IPS	Collect the IP address of the infected device
GET_CARD_NUMBER	GET_CARD_NUMBER	Collects card numbers from SMSs
GET_BANK_SMS	GET_BANK_SMS	Collecting all SMSs coming from banks
GET_ACCOUNT	GET_ACCOUNT	Get account details from the infected device
REVIVE_FOREGROUND	REVIVE_FOREGROUND	Sends the device's active status
GET_USSD_INFO	GET_USSD_INFO	Get SIM Info to support USSD operations
GET_LAST_SMS	-	Collecting recent SMSs
GET_ALL_SMS	GET_ALL_SMS	Collect all SMSs
-	KEYLOGGER	Collects Keylogged data stored in file keuboard_history.txt
GET_SCREENSHOTS	GET_SCREENSHOTS	Collects screenshots from the server
GET_PHONE_NUMBER	GET_PHONE_NUMBER	Collect the device phone number
SET_SILENT	SET_SILENT	Put the device on silent
GET_GALLERY	GET_GALLERY	Collect gallery media
GET_CONTACTS	GET_CONTACTS	Collect contacts

Conclusion

deVixor is a feature-rich Android banking Trojan that reflects the latest evolution of Android malware. It combines SMS-based financial data harvesting, WebView-based JavaScript injection attacks, ransomware capabilities, and full remote device control to facilitate banking fraud, account takeovers, financial extortion, and prolonged user surveillance from a single platform.

The modular command architecture, persistent configuration mechanisms, and an active development cycle all indicate that deVixor is not an isolated campaign, but a maintained and extensible criminal service.

The targeted focus on Iranian banks, payment services, and cryptocurrency platforms highlights deliberate victim profiling and regional specialization.

---

Cyble's Threat Intelligence Platforms continuously monitor emerging threats, infrastructure, and activity across the dark web, deep web, and open sources. This proactive intelligence empowers organizations with early detection, impersonation, infrastructure mapping, and attribution insights. Altogether, these capabilities provide a critical head start in mitigating and responding to evolving cyber threats.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

• Install Apps Only from Trusted Sources:
  Download apps exclusively from official platforms, such as the Google Play Store. Avoid third-party app stores or links received via SMS, social media, or email.
• Be Cautious with Permissions and Installs:
  Never grant permissions and install an application unless you're certain of an app's legitimacy.
• Watch for Phishing Pages:
  Always verify the URL and avoid suspicious links and websites that ask for sensitive information.
• Enable Multi-Factor Authentication (MFA):
  Use MFA for banking and financial apps to add an extra layer of protection, even if credentials are compromised.
• Report Suspicious Activity:
  If you suspect you've been targeted or infected, report the incident to your bank and local authorities immediately. If necessary, reset your credentials and perform a factory reset.
• Use Mobile Security Solutions:
  Install a mobile security application that includes real-time scanning.
• Keep Your Device Updated:
   Ensure your Android OS and apps are updated regularly. Security patches often address vulnerabilities that malware exploits.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Procedure
Initial Access (TA0027)	Phishing (T1660)	Malware is distributed via a phishing site
Persistence (TA0028)	Event Triggered Execution: Broadcast Receivers(T1624.001)	deVixor registered the BOOT_COMPLETED broadcast receiver to activate on device startup
Persistence (TA0028)	Foreground Persistence (T1541)	deVixor uses foreground services by showing a notification
Defense Evasion (TA0030)	Hide Artifacts: Suppress Application Icon (T1628.001)	deVixor hides icon
Defense Evasion (TA0030)	Impair Defenses: Prevent Application Removal (T1629.001)	Prevent uninstallation
Defense Evasion (TA0030)	Impair Defenses: Disable or Modify Tools (T1629.003)	deVixor can disable Google Play Protect
Defense Evasion (TA0030)	Masquerading: Match Legitimate Name or Location (T1655.001)	Masquerade as a YouTube app
Defense Evasion (TA0030)	Obfuscated Files or Information (T1406)	deVixor uses an encrypted C&C server URL
Credential Access (TA0031)	Access Notifications (T1517)	deVixor collects device notifications
Credential Access (TA0031)	Input Capture: Keylogging (T1417.001)	deVixor collects keylogged data
Credential Access (TA0031)	Input Capture: GUI Input Capture (T1417.002)	deVixor collects entered banking credentials
Discovery (TA0032)	Software Discovery (T1418)	deVixor collects the installed application list
Discovery (TA0032)	System Information Discovery (T1426)	deVixor collects the device information
Collection (TA0035)	Archive Collected Data (T1532)	deVixor compressing collected data and saving to a .zip file
Collection (TA0035)	Data from Local System (T1533)	deVixor collects media from the gallery
Collection (TA0035)	Protected User Data: Contact List (T1636.003)	Collects contact data
Collection (TA0035)	Protected User Data: SMS Messages (T1636.004)	Collects SMS data
Collection (TA0035)	Protected User Data: Accounts (T1636.005)	deVixor collects Accounts data
Collection (TA0035)	Screen Capture (T1513)	deVixor can take Screenshots
Command and Control (TA0037)	Application Layer Protocol: Web Protocols (T1437.001)	Malware uses HTTPs protocol
Exfiltration (TA0036)	Exfiltration Over C2 Channel (T1646)	deVixor sends collected data to the C&C server
Impact (TA0034)	SMS Control (T1582)	deVixor can send SMSs from the infected device

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

The post deVixor: An Evolving Android Banking RAT with Ransomware Capabilities Targeting Iran appeared first on Cyble.

Following our earlier reporting on RTO-themed threats, CRIL observed a renewed phishing wave abusing the e-Challan ecosystem to conduct financial fraud. Unlike earlier Android malware-driven campaigns, this activity relies entirely on browser-based phishing, significantly lowering the barrier for victim compromise. During the course of this research, CRIL also noted that similar fake e-Challan scams have been highlighted by mainstream media outlets, including Hindustan Times, underscoring the broader scale and real-world impact of these campaigns on Indian users.

The campaign primarily targets Indian vehicle owners via unsolicited SMS messages claiming an overdue traffic fine. The message includes a deceptive URL resembling an official e-Challan domain. Once accessed, victims are presented with a cloned portal that mirrors the branding and structure of the legitimate government service. At the time of this writing, many of the associated phishing domains were active at the time, indicating that this is an ongoing and operational campaign rather than isolated or short-lived activity.

The same hosting IP was observed serving multiple phishing lures impersonating government services, logistics companies, and financial institutions, indicating a shared phishing backend supporting multi-sector fraud operations.

The infection chain, outlined in Figure 1, showcases the stages of the attack.

Key Takeaways

• Attackers are actively exploiting RTO/e-Challan themes, which remain highly effective against Indian users.
• The phishing portal dynamically fabricates challan data, requiring no prior victim-specific information.
• The payment workflow is deliberately restricted to credit/debit cards, avoiding traceable UPI or net banking rails.
• Infrastructure analysis links this campaign to BFSI and logistics-themed phishing hosted on the same IP.
• Browser-based warnings (e.g., Microsoft Defender) are present but frequently ignored due to urgency cues.

A sense of urgency, evidenced in this campaign, is usually a sign of deception. By demanding a user’s immediate attention, the intent is to make a potential victim rush their task and not perform due diligence.

Users must accordingly exercise caution, scrutinize the domain, sender, and never trust any unsolicited link(s).

Technical findings

Stage 1: Phishing SMS Delivery

The attack we first identified started with victims receiving an SMS stating that a traffic violation fine is overdue and must be paid immediately to avoid legal action. The message includes:

• Threatening language (legal steps, supplementary charges)
• A shortened or deceptive URL mimicking e-Challan branding
• No personalization, allowing large-scale delivery

The sender appears as a standard mobile number, which increases delivery success and reduces immediate suspicion. (see Figure 2)

Stage 2: Redirect to Fraudulent e-Challan Portal

Clicking the embedded URL redirects the user to a phishing domain hosted on 101[.]33[.]78[.]145.

The page content is originally authored in Spanish and translated to English via browser prompts, suggesting the reuse of phishing templates across regions. (see Figure 3)

The Government insignia, MoRTH references, and NIC branding are visually replicated. (see Figure 3)

Stage 3: Fabricated Challan Generation

The portal prompts the user to enter:

• Vehicle Number
• Challan Number
• Driving License Number

Regardless of the input provided, the system returns:

• A valid-looking challan record
• A modest fine amount (e.g., INR 590)
• A near-term expiration date
• Prominent warnings about license suspension, court summons, and legal proceedings

This step is purely psychological validation, designed to convince victims that the challan is legitimate. (see Figure 4)

Stage 4: Card Data Harvesting

Upon clicking “Pay Now”, victims are redirected to a payment page claiming secure processing via an Indian bank. However:

• Only credit/debit cards are accepted
• No redirection to an official payment gateway occurs
• CVV, expiry date, and cardholder name are collected directly

During testing, the page accepted repeated card submissions, indicating that all entered card data is transmitted to the attacker backend, independent of transaction success. (see Figure 5)

Infrastructure Correlation and Campaign Expansion

CRIL identified another attacker-controlled IP, 43[.]130[.]12[.]41, hosting multiple domains impersonating India’s e-Challan and Parivahan services. Several of these domains follow similar naming patterns and closely resemble legitimate Parivahan branding, including domains designed to look like Parivahan variants (e.g., parizvaihen[.]icu). Analysis indicates that this infrastructure supports rotating, automatically generated phishing domains, suggesting the use of domain generation techniques to evade takedowns and blocklists.

The phishing pages hosted on this IP replicate the same operational flow observed in the primary campaign, displaying fabricated traffic violations with fixed fine amounts, enforcing urgency through expiration dates, and redirecting victims to fake payment pages that harvest full card details while falsely claiming to be backed by the State Bank of India.

This overlap in infrastructure, page structure, and social engineering themes suggests a broader, scalable phishing ecosystem that actively exploits government transport services to target Indian users.

Further investigation into IP address 101[.]33[.]78[.]145 revealed more than 36 phishing domains impersonating e-Challan services, all hosted on the same infrastructure.

The infrastructure also hosted phishing pages targeting:

• BFSI (e.g., HSBC-themed payment lures)
• Logistics companies (DTDC, Delhivery) (see Figures 7,8)

Consistent UI patterns and payment-harvesting logic across campaigns

This confirms the presence of a shared phishing infrastructure supporting multiple fraud verticals.

SMS Origin and Phone Number Analysis

As part of the continued investigation, CRIL analyzed the originating phone number used to deliver the phishing e-Challan SMS. A reverse phone number lookup confirmed that the number is registered in India and operates on the Reliance Jio Infocomm Limited mobile network, indicating the use of a locally issued mobile connection rather than an international SMS gateway.

Additionally, analysis of the number showed that it is linked to a State Bank of India (SBI) account, further reinforcing the campaign’s use of localized infrastructure. The combination of an Indian telecom carrier and association with a prominent public-sector bank likely enhances the perceived legitimacy of the scam. It increases the effectiveness of government-themed phishing messages. (see Figure 9)

Conclusion

This campaign demonstrates that RTO-themed phishing remains a high-impact fraud vector in India, particularly when combined with realistic UI cloning and psychological urgency. The reuse of infrastructure across government, logistics, and BFSI lures highlights a professionalized phishing operation rather than isolated scams.

As attackers continue shifting from malware delivery to direct financial fraud, user awareness alone is insufficient. Infrastructure monitoring, domain takedowns, and proactive SMS phishing detection are critical to disrupting these operations at scale.

Our Recommendations:

• Always verify traffic fines directly via official government portals, not SMS links.
• Organizations should monitor for lookalike domains abusing government and brand identities.
• SOC teams should track shared phishing infrastructure, as takedown of one domain may disrupt multiple campaigns.
• Telecom providers should strengthen SMS filtering for financial and government-themed lures.
• Financial institutions should monitor for card-not-present fraud patterns linked to phishing campaigns.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Initial Access	T1566.001	Phishing: Spearphishing via SMS
Credential Access	T1056	Input Capture
Collection	T1119	Automated Collection
Exfiltration	T1041	Exfiltration Over C2 Channel
Impact	T1657	Financial Theft

Indicators of Compromise (IOCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

Indicators	Indicator Type	Description
echala[.]vip echallaxzov[.]vip	Domain	Phishing Domain
echallaxzrx[.]vip
echallaxzm[.]vip
echallaxzv[.]vip
echallaxzx[.]vip
echallx[.]vip
echalln[.]vip
echallv[.]vip
delhirzexu[.]vip
delhirzexi[.]vip
delhizery[.]vip
delhisery[.]vip
dtdcspostb[.]vip
dtdcspostv[.]vip
dtdcspostc[.]vip
hsbc-vnd[.]cc
hsbc-vns[.]cc
parisvaihen[.]icu
parizvaihen[.]icu
parvaihacn[.]icu
101[.]33[.]78[.]145	IP	Malicious IP
43[.]130[.]12[.]41

The post RTO Scam Wave Continues: A Surge in Browser-Based e-Challan Phishing and Shared Fraud Infrastructure appeared first on Cyble.