Tag: trojan

28 Attack Reports | 0 Vulnerabilities

Attack reports

RedAlert Trojan Campaign: Fake Emergency Alert App Spread via SMS Spoofing Israeli Home Front Command

A malicious SMS spoofing campaign is spreading a fake version of Israel's 'Red Alert' emergency app amid ongoing conflict. The trojanized Android app, disguised as a trusted warning platform, can steal SMS, contacts, and location data while appearing legitimate. The campaign exploits public fear du…
data theft
trojan
android malware
geopolitical conflict
2026-03-03
gps tracking
israel-iran conflict
redalert
sms spoofing
Published: March 3, 2026
Downloadable IOCs: 3

NFCShare Android Trojan: NFC card data theft via malicious APK

A new Android trojan, named NFCShare, has been discovered targeting Deutsche Bank customers through a phishing campaign. The malware, disguised as a banking app update, prompts users to perform a fake card verification process. It exploits NFC technology to steal card data and PINs, which are then …
phishing
android
trojan
banking
data exfiltration
nfc
websocket
2026-01-30
card theft
nfcshare
Published: January 30, 2026
Downloadable IOCs: 2

Webrat, disguised as exploits, is spreading via GitHub repositories

A new malware campaign targeting security professionals and students has been uncovered. The threat actor behind Webrat is now disguising the backdoor as exploits and proof-of-concept code for high-profile vulnerabilities, distributing it through GitHub repositories. The malware, which previously s…
malware
backdoor
exploit
vulnerability
trojan
information-stealing
social-engineering
cybersecurity
github
webrat
CVE-2025-59230
CVE-2025-59295
CVE-2025-10294
2025-12-23
Published: December 23, 2025
Linked vulnerabilities : CVE-2025-59230 (CVSS 7.8), CVE-2025-59295 (CVSS 8.8), CVE-2025-10294 (CVSS 9.8), CVE-2025-11833 (CVSS 9.8), CVE-2025-11499 (CVSS 9.8), CVE-2025-12595 (CVSS 7.4), CVE-2025-12596 (CVSS 7.4), CVE-2025-55234, CVE-2025-54106, CVE-2025-54897
Downloadable IOCs: 5

"Sneaky" new Android malware takes over your phone, hiding in fake news and ID apps

A sophisticated Android Trojan has been discovered that masquerades as trusted apps like news readers or digital ID applications. Once installed, it quietly operates in the background, stealing sensitive information such as login credentials and financial data. The malware exploits Android's Access…
android
cryptocurrency
trojan
banking malware
southeast asia
overlay attack
accessibility services
2025-11-05
android/trojan.spy.banker.aur9b9b491bc44
Published: November 5, 2025
Downloadable IOCs: 0

Technical Analysis of Zloader Updates

Recent versions of Zloader, a Zeus-based modular trojan, have introduced significant enhancements to its functionality. These updates include improved obfuscation techniques, anti-analysis strategies, and network communication methods. The malware now supports WebSockets and has modified its DNS tu…
obfuscation
ransomware
evasion
anti-analysis
zloader
zeus
trojan
banking
websockets
2025-09-22
dns-tunneling
zeus-based
ldap
Published: September 22, 2025
Downloadable IOCs: 0

Suspected APT-C-00 Delivers Havoc Trojan

A recent analysis of a suspicious trojan loader reveals similarities to the APT-C-00 (Ocean Lotus) group, a government-backed hacker organization targeting East Asian companies and government agencies. The sample, a DLL file with excellent evasion capabilities, uses hash algorithms to dynamically o…
apt
persistence
trojan
dll sideloading
process hollowing
east asia
2025-09-22
havoc rat
Published: September 22, 2025
Downloadable IOCs: 0

AI-Generated Code and Fake Apps Used for Far-Reaching Attacks

A new malware campaign called EvilAI is spreading globally by disguising itself as legitimate AI-enhanced productivity tools. The malware uses AI-generated code and professional interfaces to evade detection, targeting organizations across sectors like manufacturing, government, and healthcare. It …
obfuscation
persistence
node.js
trojan
credential theft
command and control
2025-09-12
ai-generated code
evilai
fake applications
Published: September 12, 2025
Downloadable IOCs: 14

Backdoor in "AppSuite PDF Editor": A Detailed Technical Analysis

A detailed analysis of a malicious PDF editor application called AppSuite PDF Editor reveals it to be a sophisticated backdoor. The software, masquerading as a legitimate productivity tool, is distributed through high-ranking websites. Once installed, it creates scheduled tasks and establishes pers…
backdoor
trojan
data exfiltration
aes encryption
command and control
scheduled tasks
browser manipulation
2025-08-28
appsuite pdf editor
pdf editor
appsuite
Published: August 28, 2025
Downloadable IOCs: 9

Android Malware Posing As Indian Bank Apps

This report analyzes a sophisticated Android malware targeting Indian banking apps. The malware uses a dropper and main payload structure, leveraging permissions like SMS access and silent installation to steal credentials, intercept messages, and perform unauthorized financial activities. It emplo…
phishing
android
credential-theft
trojan
banking
firebase
2025-07-25
call-forwarding
sms-interception
Published: July 25, 2025
Downloadable IOCs: 2

macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App

A new variant of macOS.ZuRu malware has been discovered, targeting users through a trojanized version of the Termius app. This backdoor, initially noted in 2021, now uses a modified Khepri C2 framework for post-infection operations. The malware is delivered via a .dmg disk image containing a hacked…
backdoor
persistence
macos
trojan
2025-07-10
khepri
zuru
c2 beacon
khepri c2
termius
macos.zuru
Published: July 10, 2025
Downloadable IOCs: 4

A new version of Triada spreads embedded in the firmware of Android devices

Kaspersky researchers have discovered a new version of the Triada Trojan being distributed through infected Android device firmware. The malware is embedded into system files before devices are sold, making it nearly impossible to remove. It infects the Zygote process to compromise all apps on the …
android
cryptocurrency
trojan
credential theft
triada
sms interception
firmware
reverse proxy
2025-04-25
Published: April 25, 2025
Downloadable IOCs: 0

Fake Cloudflare Verification Results in LummaStealer Trojan Infections

A malicious campaign targeting Windows users through WordPress websites is deploying the LummaStealer trojan. Attackers use fake Cloudflare verification prompts to trick users into running malicious PowerShell commands. The infection is spread through compromised plugins or injected JavaScript in l…
powershell
lummac2
infostealer
trojan
wordpress
cloudflare
lummastealer
javascript injection
2025-03-20
Published: March 20, 2025
Downloadable IOCs: 4

Rat King: How the Android Trojan CraxsRAT Steals User Data

CraxsRAT, an Android trojan, has been targeting Russian and Belarusian users since summer 2024. It masquerades as legitimate apps like government services, antivirus software, and telecom operators. The malware spreads through social engineering tactics, prompting users to download malicious APK fi…
espionage
social engineering
android
data theft
trojan
financial fraud
remote access
craxsrat
2024-10-31
Published: October 31, 2024
Downloadable IOCs: 0

Hive0147 serving juicy Picanha with a side of Mekotio

IBM X-Force observed Hive0147, a highly active threat group in Latin America, distributing a new Golang-based downloader named Picanha to deploy the Mekotio banking trojan. Picanha is a two-stage malware that uses advanced techniques like direct syscalls and supports multiple download URLs, reliabl…
malware
trojan
banking
downloader
mekotio
2024-10-17
banker.fn
picanha
Published: October 17, 2024
Downloadable IOCs: 20

CoreWarrior Spreader Malware Surge

This report delves into an analysis of CoreWarrior, a persistent trojan designed for rapid propagation. It creates multiple copies of itself, attempts connections to various IP addresses, opens backdoor access, and hooks Windows UI elements for monitoring purposes. The malware employs techniques li…
backdoor
evasion
anti-analysis
trojan
2024-10-15
propagation
corewarrior
Published: October 15, 2024
Downloadable IOCs: 3

Uncovering ICICI Phishing Campaign: New Fraud App Found

A malicious host mimicking ICICI Bank has been discovered, along with a fraudulent app disguised as ICICI Helpdesk. The phishing domain, cppcccare.com, is hosted on an ASN known for various malicious activities. The fraudulent app, named 'ICICI.apk', is detected as a Trojan Banker, Keylogger, and S…
android
trojan
banking
2024-09-24
Published: September 24, 2024
Downloadable IOCs: 3

Analyzing the Mekotio Trojan

The analysis delves into the Mekotio Trojan, a sophisticated malware that employs a PowerShell dropper to execute its payload. The dropper employs obfuscation techniques, such as custom XOR decryption, to conceal its operations. It collects system information, communicates with a command-and-contro…
malware
obfuscation
powershell
persistence
trojan
2024-08-30
mekotio trojan
Published: August 30, 2024
Downloadable IOCs: 2

HZ Rat backdoor for macOS harvests data from WeChat and DingTalk

A version of the HZ Rat backdoor targeting users of China’s WeChat and DingTalk was uploaded to VirusTotal in July 2023 and was not detected by any vendor, research by Kaspersky suggests.
backdoor
macos
trojan
2024-08-27
instant messengers
hz rat
dingtalk
wechat
openvpn
Published: August 27, 2024
Downloadable IOCs: 10

New Widespread Extension Trojan Malware Campaign

This report discusses a widespread polymorphic malware campaign that forcefully installs malicious browser extensions on endpoints. The malware, originating from imitations of download websites, delivers various malicious payloads, including adware extensions, data stealing scripts, and commands to…
trojan
adware
hijacking
2024-08-07
polymorphic
browser
bankshot
extensions
Published: August 7, 2024
Downloadable IOCs: 0

BlankBot: A new Android banking trojan

A new Android banking trojan called BlankBot has been discovered. Discovered by Intel 471 researchers in July 2024, BlankBot primarily targets Turkish users through impersonated utility apps. With a range of malicious capabilities like customer injections, keylogging, screen recording, and remote c…
android
trojan
banking
keylogging
2024-08-06
blankbot
Published: August 6, 2024
Downloadable IOCs: 0

Distribution of AsyncRAT Disguised as Ebook

This analysis covers the distribution of AsyncRAT malware disguised as an ebook. The compressed file contains a malicious LNK and PowerShell scripts that ultimately execute AsyncRAT. The malware employs various techniques, such as obfuscation, task scheduling, and anti-VM and anti-AV capabilities, …
obfuscation
powershell
persistence
trojan
asyncrat
2024-07-10
Published: July 10, 2024
Downloadable IOCs: 5

A New Compact Variant Discovered

Security researchers at Cleafy Labs detected a resurgence of the Medusa banking trojan, which targets Android devices for on-device fraud. The new variant exhibits a lightweight permission set, expanded geographical targeting, and the adoption of droppers for distribution. It introduces capabilitie…
android
trojan
fraud
medusa
2024-06-26
tanglebot
Published: June 26, 2024
Downloadable IOCs: 50

China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence

python
plugx
lsass
trojan
2024-06-18
sygnia
c server
shadowpad
wmiexec
virustotal
earthworm
impacket
f5 bigip
command
f5 appliance
svchost
velvet ant
wireshark
guard
protect
Published: June 18, 2024
Downloadable IOCs: 5

New banking trojan “CarnavalHeist” targets Brazil with overlay attacks

Cisco Talos has been observing an active campaign targeting Brazilian users with a new banking trojan dubbed 'CarnavalHeist'. The malware employs common tactics like financial-themed spam emails, Delphi-based DLLs, overlay attacks, and input capture techniques like keylogging and screen capture. Ho…
trojan
banking
2024-05-31
brazil
keylogging
overlay
access_pc_client.dll
carnavalheist
Published: May 31, 2024
Downloadable IOCs: 61

AllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America

Earlier in May, a security product detected a malicious payload aimed at stealing credentials required to access Brazilian bank accounts. The payload, named AllaSenha, is a variant of the infamous AllaKore RAT, leveraging Azure cloud infrastructure for command and control. It is specifically design…
trojan
banking
2024-05-31
brazil
allakore
azure
allasenha
stealing
credential
Published: May 31, 2024
Downloadable IOCs: 61

Banking trojan unleashed: Observing emerging global campaigns

IBM's X-Force has been tracking large-scale phishing campaigns distributing the Grandoreiro banking trojan, likely operated as a Malware-as-a-Service. The malware targets over 1500 global banks, enabling banking fraud in over 60 countries. The latest variant features major updates, including string…
phishing
trojan
2024-05-20
banking
malware-as-a-service
grandoreiro
Published: May 20, 2024
Downloadable IOCs: 18

Leveraging DNS Tunneling for Tracking and Scanning

This article presents a case study on new applications of domain name system (DNS) tunneling PaloAlto Unit42 have found in the wild. These techniques expand beyond DNS tunneling only for command and control (C2) and virtual private network (VPN) purposes.
exploit
cobalt strike
dns query
trojan
2024-05-08
oilrig
dns tunneling
dns traffic
trkcdn campaign
alliance
attack
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 63

Linux Trojan - Xorddos with Filename eyshcjdmzg

This analysis examines a recurring Linux trojan called Xorddos, which is a distributed denial-of-service (DDoS) malware. It provides details on various file hashes associated with the malware, as well as indicators of compromise (IOCs) such as IP addresses, domains, and email addresses. The analysi…
linux
phishing
trojan
ddos
xorddos
eyshcjdmzg
Published: May 1, 2024
Downloadable IOCs: 11
Click here to see more Attack Reports