Canis C2 Exposed: Previously Undocumented Cross-Platform ...

April 9, 2026, 6:05 p.m.

Description

On March 19, a researcher on X posted a suspicious Android APK tied to a phishing page impersonating Paidy, a Japanese buy-now-pay-later service. A quick look at the infrastructure behind it revealed an unauthenticated API sitting wide open, with endpoints exposing payloads, command logs, and the C2 source code itself. The server wasn't running a simple credential harvester. Agents for Android, iOS, Windows, Linux, and macOS were present, alongside a canvas-based device fingerprinting system and code that references iOS sandboxing mechanisms by name. The actor behind it is clearly comfortable with Japanese, and large portions of the codebase show signs of LLM-assisted development.

External References

https://otx.alienvault.com/pulse/69d6a7cc78297c29949500de
https://hunt.io/blog/canis-c2-exposed-cross-platform-surveillance-framework-japan
Tags
phishing
infostealer
browser
2026-04-08
canis
cross platform

Date

  • Created: April 8, 2026, 7:09 p.m.
  • Published: April 8, 2026, 7:09 p.m.
  • Modified: April 9, 2026, 6:05 p.m.

Indicators

  • f8e9a720468c89f191d8cb12d46d81ef67b87a9ef95a307835c556a0885bd181
  • 564b381dc3e6fc737fd9b46fb5ee1e06f4e333d2886f0805514af44947a4c271
  • http://info-payeasy.com/assets/index-DdmV8luQ.js
  • http://info-payeasy.com/pages/overview.html
Download all indicators here!

Attack Patterns

Additional Informations

  • americanexpress-site.com
  • devicesecurity.pro
  • applesecurity.pro
  • info-payeasy.com
  • android-protect.com
  • ios-deviceprotect.com