Tag: banking

20 Attack Reports | 0 Vulnerabilities

Attack reports

Operation Phantom Enigma

A malicious campaign targeting primarily Brazilian residents has been discovered, with attacks detected since early 2025. The attackers employed phishing emails, some sent from compromised company servers, to distribute malware. Two attack chains were identified: one using a malicious browser exten…
phishing
powershell
stealer
banking
browser extension
2025-06-05
mesh agent
pdq connect agent
Published: June 5, 2025
Downloadable IOCs: 0

SuperCard X: exposing a Chinese-speaker MaaS for NFC Relay fraud operation

A new Android malware campaign called 'SuperCard X' has been identified, employing NFC-relay techniques to enable fraudulent POS payments and ATM withdrawals. Distributed through a Chinese-speaking Malware-as-a-Service platform, it shares similarities with NGate malware. The campaign uses social en…
android
banking
ngate
maas
2025-04-18
supercard x
relay-attack
Published: April 18, 2025
Downloadable IOCs: 6

Smishing Triad: Chinese eCrime Group Targets 121+ Countries, Introduces New Banking Phishing Kit

The Chinese eCrime group Smishing Triad has launched a global SMS phishing campaign targeting over 121 countries across various industries. Their infrastructure generates over one million page visits in 20 days, averaging 50,000 daily. The group has introduced a new 'Lighthouse' phishing kit focusi…
banking
phishing kit
infrastructure
sms phishing
chinese threat actors
2025-04-10
ecrime
global campaign
Published: April 10, 2025
Downloadable IOCs: 93

Analysis of New Mobile Banking Malware

Salvador Stealer is a newly discovered Android malware that poses as a banking application to steal sensitive user information. It employs a multi-stage attack chain, utilizing a dropper APK to install the main payload. The malware incorporates a phishing website within the app to collect personal …
phishing
android
persistence
banking
data exfiltration
credential stealing
sms interception
otp theft
2025-04-01
salvador stealer
Published: April 1, 2025
Downloadable IOCs: 0

Analysis: SmokeLoader malware distribution

A malicious campaign targeting First Ukrainian International Bank has been observed using the Emmenhtal loader to distribute SmokeLoader malware. The infection chain begins with a deceptive email containing a 7z archive, which extracts to reveal a bait PDF and a shortcut file. The shortcut download…
obfuscation
powershell
cryptbot
infostealers
banking
smokeloader
lumma
emmenhtal
lolbas
2025-03-31
mshta
Published: March 31, 2025
Downloadable IOCs: 0

FinStealer

A sophisticated malware campaign exploits a leading Indian bank's brand through fraudulent mobile applications. Distributed via phishing links and social engineering, these fake apps mimic legitimate bank apps, tricking users into revealing sensitive information. The malware uses advanced evasion t…
sql injection
phishing
android
credential theft
banking
telegram
mobile
c2 servers
xor encryption
2025-02-17
finstealer
trojan.rewardsteal/joxpk
CVE-2011-2688
Published: February 17, 2025
Linked vulnerabilities : CVE-2011-2688
Downloadable IOCs: 5

SmokeLoader Malware Targets Ukraine's Auto & Banking Sectors via Open Directories

An investigation uncovered open directories hosting SmokeLoader malware samples and lure documents targeting Ukraine's automotive and banking sectors. Two servers were identified, containing Windows executables and PDF files posing as invoices from Ukrainian companies. The malware injects into expl…
phishing
malware distribution
ukraine
banking
smokeloader
automotive
open directories
2025-02-07
financial lures
Published: February 7, 2025
Downloadable IOCs: 27

Phishing for Banking Information

A recent phishing campaign targeting Bank of Montreal (BMO) customers has been identified. The scam involves text messages purporting to be from BMO, asking recipients to verify their credit card information. Key indicators of the fraudulent nature include the use of a non-official SMS number, inco…
banking
smishing
2024-12-27
bmo
Published: December 27, 2024
Downloadable IOCs: 2

Hive0147 serving juicy Picanha with a side of Mekotio

IBM X-Force observed Hive0147, a highly active threat group in Latin America, distributing a new Golang-based downloader named Picanha to deploy the Mekotio banking trojan. Picanha is a two-stage malware that uses advanced techniques like direct syscalls and supports multiple download URLs, reliabl…
malware
trojan
banking
downloader
mekotio
2024-10-17
banker.fn
picanha
Published: October 17, 2024
Downloadable IOCs: 20

Hidden in Plain Sight: ErrorFather’s Deadly Deployment of Cerberus

This report examines a campaign called 'ErrorFather' that utilizes an undetected variant of the Cerberus Android Banking Trojan. The campaign employed a sophisticated multi-stage dropper technique to deploy the malicious payload, which incorporated features like keylogging, overlay attacks, VNC, an…
malware
android
dropper
banking
overlay
2024-10-15
cerberus
Published: October 15, 2024
Downloadable IOCs: 20

Uncovering ICICI Phishing Campaign: New Fraud App Found

A malicious host mimicking ICICI Bank has been discovered, along with a fraudulent app disguised as ICICI Helpdesk. The phishing domain, cppcccare.com, is hosted on an ASN known for various malicious activities. The fraudulent app, named 'ICICI.apk', is detected as a Trojan Banker, Keylogger, and S…
android
trojan
banking
2024-09-24
Published: September 24, 2024
Downloadable IOCs: 3

NGate Android malware relays NFC traffic to steal cash

ESET researchers uncovered a crimeware campaign targeting bank customers in Czechia. The NGate Android malware can relay NFC data from victims' payment cards to attackers' devices, enabling unauthorized ATM withdrawals. It's the first time this capability has been observed in the wild. The campaign…
malware
phishing
android
banking
2024-08-22
czechia
ngate
relay
nfc
Published: August 22, 2024
Downloadable IOCs: 12

Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure

CloudSEK's threat research team uncovered a ransomware attack impacting banks and payment providers in India. The attack, initiated through a compromised Jenkins server at Brontoo Technology Solutions, is attributed to the RansomEXX ransomware group. This sophisticated threat actor employs tactics …
ransomware
vulnerability
india
banking
2024-08-20
jenkins
ransomexx
CVE-2024-23897
Published: August 20, 2024
Linked vulnerabilities : CVE-2024-23897
Downloadable IOCs: 18

BlankBot: A new Android banking trojan

A new Android banking trojan called BlankBot has been discovered. Discovered by Intel 471 researchers in July 2024, BlankBot primarily targets Turkish users through impersonated utility apps. With a range of malicious capabilities like customer injections, keylogging, screen recording, and remote c…
android
trojan
banking
keylogging
2024-08-06
blankbot
Published: August 6, 2024
Downloadable IOCs: 0

BingoMod: The new android RAT that steals money and wipes data

In late May 2024, a new Android Remote Access Trojan (RAT) named BingoMod emerged, aiming to initiate fraudulent money transfers from compromised devices using a technique called On-Device Fraud (ODF). After installation, BingoMod steals sensitive information, conducts overlay attacks, and provides…
rat
android
fraud
banking
2024-08-02
bingomod
Published: August 2, 2024
Downloadable IOCs: 3

GXC Team Unmasked: The cybercriminal group targeting Spanish bank users with AI-powered phishing tools and Android malware

Group-IB discovered a Spanish-speaking criminal group, GXC Team, offering a sophisticated AI-powered phishing-as-a-service platform targeting Spanish bank customers. The group specialized in developing phishing kits, Android malware, and AI-powered scam tools. Their malicious Android app, disguised…
phishing
android
banking
spain
2024-07-29
Published: July 29, 2024
Downloadable IOCs: 161

Cybercriminals attack banking customers in EU with V3B phishing kit

An analysis reveals that a cybercriminal group is distributing sophisticated phishing kits to target banking customers in the European Union. These kits, designed to steal sensitive information like credentials and OTP codes, utilize social engineering tactics to deceive victims into revealing pers…
phishing
cybercrime
fraud
social-engineering
banking
2024-06-10
Published: June 10, 2024
Downloadable IOCs: 44

New banking trojan “CarnavalHeist” targets Brazil with overlay attacks

Cisco Talos has been observing an active campaign targeting Brazilian users with a new banking trojan dubbed 'CarnavalHeist'. The malware employs common tactics like financial-themed spam emails, Delphi-based DLLs, overlay attacks, and input capture techniques like keylogging and screen capture. Ho…
trojan
banking
2024-05-31
brazil
keylogging
overlay
access_pc_client.dll
carnavalheist
Published: May 31, 2024
Downloadable IOCs: 61

AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America

Earlier in May, a security product detected a malicious payload aimed at stealing credentials required to access Brazilian bank accounts. The payload, named AllaSenha, is a variant of the infamous AllaKore RAT, leveraging Azure cloud infrastructure for command and control. It is specifically design…
trojan
banking
2024-05-31
brazil
allakore
azure
allasenha
stealing
credential
Published: May 31, 2024
Downloadable IOCs: 61

Banking trojan unleashed: Observing emerging global campaigns

IBM's X-Force has been tracking large-scale phishing campaigns distributing the Grandoreiro banking trojan, likely operated as a Malware-as-a-Service. The malware targets over 1500 global banks, enabling banking fraud in over 60 countries. The latest variant features major updates, including string…
phishing
trojan
2024-05-20
banking
malware-as-a-service
grandoreiro
Published: May 20, 2024
Downloadable IOCs: 18
Click here to see more Attack Reports