Tag: spyware

33 Attack Reports | 0 Vulnerabilities

Attack reports

Prolific Zero-Day Exploits Continue

Despite sanctions, Intellexa continues to operate, developing and selling spyware to various clients. The company has been linked to 15 unique zero-day vulnerabilities since 2021, targeting mobile browsers and operating systems. Their exploit chain, known as 'smack', uses a framework called JSKit f…
ios
surveillance
android
zero-day
spyware
CVE-2024-4610
chrome
CVE-2025-6554
2025-12-04
predator
CVE-2023-41991
CVE-2023-41992
CVE-2023-41993
exploit-chain
CVE-2023-2033
preyhunter
CVE-2023-4762
CVE-2021-37976
CVE-2023-2136
CVE-2023-3079
CVE-2021-37973
CVE-2021-38003
CVE-2021-1048
CVE-2025-48543
CVE-2021-38000
Published: December 4, 2025
Linked vulnerabilities : CVE-2024-4610, CVE-2025-6554 (CVSS 8.1), CVE-2025-12480 (CVSS 9.1), CVE-2025-48543, CVE-2021-1048, CVE-2023-2136, CVE-2021-38003, CVE-2021-37976, CVE-2023-2033, CVE-2023-41993, CVE-2023-41992, CVE-2023-41991, CVE-2023-4762, CVE-2023-3079, CVE-2021-38000, CVE-2021-37973, CVE-2022-42856
Downloadable IOCs: 2

Global Corporate Web

This analysis explores the corporate structure and operations of Intellexa, a mercenary spyware vendor. It reveals new companies likely tied to Intellexa's network, particularly within a Czech cluster, and examines their roles in product shipment and potential infection vectors. The report traces I…
spyware
infrastructure
2025-12-04
predator
export data
corporate structure
ad-based infection
aladdin
Published: December 4, 2025
Downloadable IOCs: 0

4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign

A threat actor named ShadyPanda has been identified as responsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users. The campaign includes two active operations: a 300,000-user RCE backdoor and a 4-million-user spyware operation. ShadyPanda's extension…
spyware
data exfiltration
malware campaign
chrome
edge
browser extension
trust exploitation
2025-12-03
infinity v+
clean master
wetab
rce backdoor
Published: December 3, 2025
Downloadable IOCs: 0

GPT Trade: Fake Google Play Store drops BTMob Spyware and UASecurity Miner on Android Devices

A sophisticated Android dropper impersonating the Google Play Store was discovered, distributing an app called 'GPT Trade'. This malicious application, disguised as an AI trading assistant, actually deploys two dangerous payloads: BTMob spyware and UASecurity Miner. The dropper creates directories,…
social engineering
android
dropper
spyware
modular malware
btmob
2025-11-19
apk packer
uasecurity miner
fake app store
cryptocurrency miner
gpt trade
Published: November 19, 2025
Downloadable IOCs: 10

Fantasy Hub: Another Russian Based RAT as Malware-as-a-Service

A new Android Remote Access Trojan called Fantasy Hub has been identified, sold on Russian-language channels as a Malware-as-a-Service (MaaS) subscription. The malware offers extensive device control and espionage capabilities, including SMS exfiltration, contact theft, call log access, and bulk im…
rat
android
spyware
banking
russian
maas
financial
sms
2025-11-10
fantasy hub
Published: November 10, 2025
Downloadable IOCs: 169

New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices

Unit 42 researchers have uncovered LANDFALL, a previously unknown Android spyware family targeting Samsung Galaxy devices. The spyware exploits CVE-2025-21042, a zero-day vulnerability in Samsung's image processing library, to deliver commercial-grade surveillance capabilities. LANDFALL is embedded…
android
whatsapp
zero-day
spyware
samsung
CVE-2025-43300
CVE-2025-55177
2025-11-07
CVE-2025-21042
CVE-2025-21043
landfall
dng
commercial-grade
Published: November 7, 2025
Downloadable IOCs: 18

ClayRat: A New Android Spyware Targeting Russia

ClayRat is a rapidly evolving Android spyware campaign primarily targeting Russian users. Distributed through Telegram channels and phishing sites, it masquerades as popular apps to lure victims. The spyware can exfiltrate SMS messages, call logs, notifications, and device information, as well as t…
phishing
spyware
2025-10-10
sms
clayrat
Published: October 10, 2025
Downloadable IOCs: 857

New spyware campaigns target privacy-conscious Android users in the UAE

Two Android spyware campaigns, ProSpy and ToSpy, have been discovered targeting users in the United Arab Emirates. These campaigns impersonate secure messaging apps like Signal and ToTok, distributing malware through deceptive websites and social engineering tactics. Once installed, the spyware exf…
phishing
android
persistence
spyware
data exfiltration
uae
signal
2025-10-02
android/spy.tospy
totok
app impersonation
android/spy.prospy
Published: October 2, 2025
Downloadable IOCs: 30

Datzbro: RAT Hiding Behind Senior Travel Scams

A new Android Trojan named Datzbro has been discovered targeting seniors through fake Facebook groups promoting travel and social activities. The malware, which combines spyware and banking Trojan capabilities, is distributed via malicious APKs disguised as community apps. Datzbro features remote a…
social engineering
spyware
remote access
zombinder
banking malware
android trojan
2025-09-30
facebook groups
datzbro
senior scams
Published: September 30, 2025
Downloadable IOCs: 0

The Price of Trust: Analyzing the Malware Campaign Exploiting TASPEN's Legacy to Target Indonesian Senior Citizens

A sophisticated mobile malware campaign is targeting Indonesian pensioners by impersonating TASPEN, the state pension fund. The attackers use a phishing website to distribute a malicious Android app that steals banking credentials, intercepts SMS messages for OTPs, and captures biometric data. The …
phishing
spyware
banking trojan
mobile malware
indonesia
senior citizens
2025-08-27
pension fund
taspen
Published: August 27, 2025
Downloadable IOCs: 7

Android backdoor spies on Russian business employees

A sophisticated Android backdoor named Android.Backdoor.916.origin is targeting Russian business representatives. The malware, disguised as an antivirus app called 'GuardCB', has extensive surveillance capabilities including intercepting calls, streaming camera footage, stealing data from messaging…
backdoor
surveillance
android
spyware
russian
2025-08-25
mobile-malware
business
android.backdoor.916.origin
targeted-attack
Published: August 25, 2025
Downloadable IOCs: 0

Legitimate Chrome VPN Extension Turns to Browser Spyware

A popular Chrome VPN extension, FreeVPN.One, with over 100,000 installs has transformed into spyware. Initially legitimate, the extension began capturing screenshots of users' online activities and collecting sensitive information after an update in April 2025. The spyware operates covertly, automa…
spyware
vpn
data exfiltration
chrome extension
browser security
google web store
2025-08-19
screenshot capture
freevpn.one
user privacy
Published: August 19, 2025
Downloadable IOCs: 3

Spyware Targets Employees via Weaponized Word Documents Delivering Malware Payloads

An unidentified spyware called Batavia has been targeting Russian industrial organizations since July 2024 through a sophisticated phishing operation. The campaign uses bait emails disguised as contract agreements to trick employees into downloading malicious scripts, initiating a multi-stage infec…
phishing
spyware
data exfiltration
evasion tactics
multi-stage attack
batavia
2025-07-09
c++ malware
persistence mechanisms
russian targets
vbs scripts
delphi executable
Published: July 9, 2025
Downloadable IOCs: 2

Batavia spyware steals data from Russian organizations

The Batavia spyware campaign, active since July 2024, targets Russian industrial enterprises through phishing emails containing malicious links disguised as contract documents. The infection process involves three stages: a VBS script downloader, the WebView.exe spyware, and the javav.exe module. T…
phishing
spyware
uac bypass
multi-stage infection
2025-07-07
vbs script
webview.exe
batavia
javav.exe
Published: July 7, 2025
Downloadable IOCs: 2

The new SparkKitty Trojan spy in the App Store and Google Play

A new spyware campaign dubbed SparkKitty has been discovered targeting both iOS and Android devices. The malware, believed to be connected to the previously identified SparkCat campaign, is distributed through official app stores and unofficial sources. It primarily steals photos from infected devi…
ios
android
cryptocurrency
china
spyware
sparkcat
southeast asia
2025-06-23
sparkkitty
Published: June 23, 2025
Downloadable IOCs: 20

Caught in the Act: Uncovering SpyNote in Unexpected Places

Multiple samples of SpyNote, a sophisticated Android spyware, were discovered in open directories, disguised as legitimate apps like Google Translate, Temp Mail, and Deutsche Postbank. The malware exploits accessibility services and device administrator privileges to steal sensitive information fro…
android
spyware
spynote
data exfiltration
c2 infrastructure
open directories
accessibility services
2025-06-20
device administrator
malicious apps
Published: June 20, 2025
Downloadable IOCs: 2

The Transparent Tribe Vibe: APT36 Returns With CapraRAT Impersonating Viber

APT36, also known as Transparent Tribe, has been observed using VPS provider Contabo to host malicious infrastructure for CapraRAT and Crimson RAT. Their latest tactic involves disguising spyware as the popular messaging app Viber, granting extensive permissions to record calls, read messages, and …
impersonation
android
crimson rat
spyware
transparent tribe
caprarat
contabo
2025-06-03
vps
androrat
viber
Published: June 3, 2025
Downloadable IOCs: 3

North Korean APT37 Mobile Spyware Discovered

A new Android spyware called KoSpy has been attributed to the North Korean group APT37 (ScarCruft). The malware, active since March 2022, targets Korean and English-speaking users by masquerading as utility apps. KoSpy uses a two-stage C2 infrastructure, retrieving initial configurations from Fireb…
apt
surveillance
north korea
android
spyware
konni
apt37
2025-04-12
scarcruft
kospy
Published: April 12, 2025
Downloadable IOCs: 0

Virtue or Vice? A First Look at Paragon's Proliferating Spyware Operations

The report investigates Paragon Solutions, an Israeli spyware company founded in 2019 that sells a product called Graphite. Through infrastructure analysis, the researchers identified potential Paragon deployments in several countries. They also found evidence linking Paragon to the Canadian Ontari…
surveillance
graphite
spyware
cybersecurity
human rights
law enforcement
2025-03-19
canada
italy
zero-click exploit
Published: March 19, 2025
Downloadable IOCs: 22

Hackers Hijack JFK File Release: Malware & Phishing Surge

A potentially growing cyber threat campaign has been uncovered surrounding the release of declassified JFK, RFK, and MLK files. Attackers are exploiting public interest in these historical documents to launch malware campaigns, phishing schemes, and exploit attempts. Within days of the announcement…
malware
phishing
social engineering
ransomware
spyware
domain spoofing
2025-02-03
cyber threat
trojans
declassified files
historical documents
jfk files
Published: February 3, 2025
Downloadable IOCs: 4

ANDROID MALWARE IN DONOT APT OPERATIONS

The DONOT APT group, serving Indian national interests, has deployed Android malware named 'Tanzeem' for intelligence gathering against internal threats. The malware, disguised as a chat application, exploits OneSignal, a customer engagement platform, for malicious purposes. It requests dangerous p…
apt
android
spyware
2025-01-21
Published: January 21, 2025
Downloadable IOCs: 6

PlainGnome and Bonespy Russian Android spyware discovered | Threat Intel

Two Android surveillance families, BoneSpy and PlainGnome, have been discovered and attributed to the Russian Gamaredon APT group, associated with the FSB. BoneSpy, active since 2021, is based on open-source DroidWatcher, while PlainGnome emerged in 2024. Both target Russian-speaking victims in for…
surveillance
android
russia
spyware
fsb
2024-12-13
shuckworm
plaingnome
primitive bear
bonespy
Published: December 13, 2024
Downloadable IOCs: 31

Something to Remember Us By: Device Confiscated by Russian Authorities Returned with Monokle-Type Spyware Installed

A joint investigation by The First Department and The Citizen Lab uncovered spyware covertly implanted on a Russian programmer's phone after it was confiscated by authorities. The individual, accused of sending money to Ukraine, was subjected to beatings and recruitment attempts by the FSB during h…
surveillance
android
russia
spyware
2024-12-05
monokle
trojanized app
device confiscation
fsb
Published: December 5, 2024
Downloadable IOCs: 0

New Android Spyware Campaign Targets South Koreans via AWS

A sophisticated Android spyware campaign targeting South Koreans has been uncovered by Cyble Research and Intelligence Labs. Active since June 2024, the malware exploits an Amazon AWS S3 bucket as its Command and Control server to exfiltrate sensitive personal data including SMS messages, contacts,…
android
spyware
south korea
cloud security
data exfiltration
aws
mobile malware
2024-10-01
stealth techniques
Published: October 1, 2024
Linked vulnerabilities : CVE-2024-21887, CVE-2023-46805, CVE-2021-44228, CVE-2017-11882, CVE-2024-21893
Downloadable IOCs: 7

EastWind campaign: new CloudSorcerer attacks on government organizations in Russia

Kaspersky detected an ongoing targeted cyberattack campaign, dubbed EastWind, targeting Russian government organizations and IT companies. The attackers employed phishing emails with malicious shortcuts to deliver malware that communicated via Dropbox. They utilized tools associated with APT31 and …
rat
phishing
spyware
dll sideloading
cloudsorcerer
2024-08-14
plugy
grewapacha
Published: August 14, 2024
Downloadable IOCs: 5

LianSpy: new Android spyware targeting Russian users

Kaspersky discovered an Android spyware campaign called LianSpy that targets Russian users. The malware can capture screencasts, exfiltrate files, and harvest call logs and app lists. It employs evasive tactics like using the Russian cloud service Yandex Disk for command and control communication, …
android
spyware
2024-08-06
yandex
russian
lianspy
Published: August 6, 2024
Downloadable IOCs: 0

New Mandrake Android spyware version discovered on Google Play

n April 2024, Securelist discovered a suspicious sample that appeared to be a new version of Mandrake. Ensuing analysis revealed as many as five Mandrake applications, which had been available on Google Play from 2022 to 2024 with more than 32,000 installs in total, while staying undetected by any …
malware
android
spyware
google play
2024-07-29
mobile malware
mandrake
response opcode
apk file
airfs
Published: July 29, 2024
Downloadable IOCs: 9

The tapestry of threats targeting Hamster Kombat players

This analysis delves into the various malicious threats capitalizing on the immense popularity of the Hamster Kombat mobile game. It reveals that cybercriminals are exploiting players' interests by distributing Android spyware disguised as the game through unofficial channels, as well as creating f…
android
spyware
2024-07-24
Published: July 24, 2024
Downloadable IOCs: 26

Exploiting CVE-2021-40444 to Infiltrate Systems

A recently detected attack exploited a vulnerability in Microsoft Office to deploy spyware called MerkSpy. The initial vector was a deceptive Word document posing as a job description. Opening it triggered the exploitation of CVE-2021-40444, allowing arbitrary code execution. This downloaded an HTM…
vulnerability
spyware
keylogger
2024-07-02
information theft
CVE-2021-40444
merkspy
Published: July 2, 2024
Linked vulnerabilities : CVE-2021-40444
Downloadable IOCs: 6

CapraTube Remix | Android Spyware Targeting Gamers, Weapons Enthusiasts

SentinelLabs has uncovered a new campaign of Android spyware apps associated with the suspected Pakistan state-aligned Transparent Tribe threat group. The malicious apps, disguised as video browsers, gaming sites, and TikTok content, target mobile gamers, weapons enthusiasts, and individuals intere…
social engineering
android
pakistan
spyware
2024-07-01
caprarat
Published: July 1, 2024
Downloadable IOCs: 6

Arid Viper poisons Android apps with AridSpy

ESET researchers identified five campaigns targeting Android users with trojanized apps that deploy multistage Android spyware called AridSpy. This malware, attributed with medium confidence to the Arid Viper APT group, focuses on user data espionage. AridSpy downloads additional payloads from its …
espionage
android
exfiltration
spyware
2024-06-14
aridspy
Published: June 14, 2024
Downloadable IOCs: 37

macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge

This analysis discusses the emergence of a new macOS malware family called 'Cuckoo Stealer', which acts as an infostealer and spyware. It describes Cuckoo Stealer's main features, logic, and provides indicators of compromise to assist threat hunters and defenders. The malware employs techniques lik…
obfuscation
infostealer
persistence
macos
spyware
2024-05-05
2024-05-06
2024-05-07
2024-05-08
cuckoo stealer
2024-05-09
2024-05-10
Published: May 10, 2024
Downloadable IOCs: 4

Malware: Behaves Like Cross Between Infostealer and Spyware

On April 24, 2024, we found a previously undetected malicious Mach-O binary programmed to behave like a cross between spyware and an infostealer. We have named the malware Cuckoo, after the bird that lays its eggs in the nests of other birds and steals the host's resources for the gain of its young.
infostealer
2024-05-03
spyware
cuckoo
Published: May 3, 2024
Downloadable IOCs: 18
Click here to see more Attack Reports