attack Archives

AppWizard

June 19, 2026

Rokarolla trojan uses screen overlays to hijack Android financial apps

A new banking trojan for Android, named Rokarolla, targets 217 applications, including banking and cryptocurrency platforms, to steal credentials and sensitive financial data. It operates via a command and control (C2) server and bypasses the Google Play Store by using phishing websites that mimic legitimate download portals. Users are tricked into downloading a dropper that installs the malware, which disguises itself as the Google Play Protect security tool to gain access to Android Accessibility Services. Rokarolla employs dynamic screen overlays to capture user input in targeted financial applications and can also impersonate the device's lock screen. Additionally, it uses a pseudo-VNC system to intermittently capture screenshots for data extraction and can modify clipboard contents to manipulate cryptocurrency transactions by replacing copied addresses with those controlled by attackers.

AppWizard

June 17, 2026

Capcom has heard feedback that Onimusha is too easy, says it’s ‘confident fans will be satisfied with difficulty’ in the final game

Onimusha: Way of the Sword features a demo that showcases a later segment of the game set in Kyoto's open areas, highlighting its art direction, character movements, and swordplay. The melee combat differs from FromSoftware titles, offering immersive animations and impactful feedback. The demo was perceived as easy, particularly in "Action" mode, with basic enemies posing little threat, while the challenge increased during the boss fight. The game's director, Nihei, noted that both the demo and the event version are early in the game's progression, explaining the ease of basic enemies and indicating that players will face tougher foes as they advance. The demo included button prompts over enemies, which will not be present in the final product. Capcom intends to gradually introduce Musashi's abilities and increase enemy difficulty in the final release. The game will launch with only two difficulty settings: Story and Action, on September 24.

Winsage

June 17, 2026

Windows and Linux users: The deadline to update Secure Boot keys is near

In 2012, a novel bootkit targeting Mac OS X systems emerged, infiltrating the EFI firmware. A basic bootkit for Windows 8 also appeared, compromising the UEFI bootkit. By 2013, a more sophisticated UEFI bootkit named Dreamboat was introduced for Windows. The first documented real-world UEFI attack occurred in 2018 with the malware LoJax, linked to a Kremlin-backed hacking group. In 2020, the second known UEFI malware, MosaicRegressor, was discovered, which verified the presence of a malicious file upon each reboot. New UEFI bootkits like ESpecter, FinSpy, and MoonBounce have since emerged. In response to the threat of UEFI bootkits, Microsoft collaborated with manufacturers to implement Secure Boot, a protocol that uses cryptographic signatures to ensure the integrity of firmware during startup.

AppWizard

June 17, 2026

New Rokarolla Android Trojan Targets 217 Banking and Crypto Apps

Zimperium’s zLabs researchers have analyzed a newly identified Android banking trojan named Rokarolla, which targets 217 distinct banking and cryptocurrency applications. It is distributed through malicious websites that impersonate popular platforms like TikTok and Google Chrome, with one identified distribution point being hxxps://infocontablidades[.]it[.]com/. The malware uses a dropper disguised as Google Play Protect to install a second-stage payload and gain Accessibility Services access, allowing it to simulate user interactions and manipulate on-screen elements. Rokarolla downloads counterfeit HTML login pages for targeted applications and overlays them to capture user credentials, including sensitive card information. It can also deploy a fraudulent PIN entry screen, read and send SMS messages, intercept one-time codes from banks, and block incoming calls. The malware rewrites the clipboard, operates a keylogger and screen content logger, and scrapes WhatsApp contact data. It captures screenshots without alerting users and has a resilient command-and-control infrastructure with multiple fallback domains. No product flaws are exploited, and defenses against it include installing apps only from Google Play and being cautious with Accessibility Services. Zimperium’s Mobile Threat Defense and zDefend products can detect Rokarolla, and a list of indicators of compromise is available on their GitHub repository.

Winsage

June 17, 2026

Windows SprySOCKS Malware: Advanced Kernel-Level Rootkit Targets Government Organizations via Supply Chain Vulnerabilities

The Windows variant of SprySOCKS malware, developed by the Chinese threat group Earth Lusca, targets government entities globally and features advanced capabilities such as rootkit-level stealth and extensive command-and-control (C2) functionalities. It operates on Windows systems, utilizing two main variants: WINDRV, which includes kernel drivers for stealth operations, and WINPLUS, a streamlined backdoor. The malware can communicate over TCP, UDP, and WebSocket, offering over 30 C2 commands for various operations, including system information gathering and keystroke logging. WINDRV loads a driver named ‘RawWNPF’ into memory using another signed kernel driver, allowing it to conceal processes and achieve persistence. The malware's design incorporates open-source elements and exploits vulnerabilities in the software supply chain, notably using a leaked certificate for driver signing. To combat SprySOCKS, organizations are advised to implement advanced endpoint detection and response (EDR) solutions, maintain regular patching, and manage supply chain risks vigilantly. The malware's adaptability and reliance on legitimate certificates complicate detection efforts, necessitating continuous refinement of security practices.

AppWizard

June 16, 2026

Honda Civics And Installing Software With Android Test Keys

Eric McDonald conducted reverse-engineering on the Android-based infotainment system in a 2021 Honda Civic, revealing a significant vulnerability. The head unit can be updated via USB using accessible standard Android Open Source Project (AOSP) test keys. This exploit, named the EvilValet attack, allows anyone with physical access to the car's USB port to execute arbitrary code signed with these test keys. While confirmed only in the 2021 Honda Civic, similar Android-based systems may also be at risk due to shared technology across different vehicle models. This vulnerability raises concerns about vehicle security as it allows unauthorized users to manipulate the system through a USB connection.

AppWizard

June 16, 2026

New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds

Security researchers at Zimperium's zLabs have identified a new Android banking trojan named Rokarolla, which can target 217 banking and cryptocurrency applications and execute 137 remote commands. The malware spreads through deceptive websites that impersonate popular apps, installing a dropper that mimics Google Play Protect to gain Accessibility access. It uses overlay techniques to capture sensitive information by displaying counterfeit login pages and can intercept SMS messages, including one-time codes from banks. Rokarolla also features a keylogger, screen logger, and can rewrite clipboard contents to divert cryptocurrency payments. It employs advanced methods for discreet data capture and has multiple fallback command-and-control domains, making it resilient against takedowns. There is no patch available for this malware, and users are advised to install apps only from Google Play and remain cautious of unexpected Accessibility requests. Zimperium's products can detect this malware, and indicators of compromise are available on their GitHub repository.

Winsage

June 16, 2026

China-Linked SprySOCKS Backdoor Expands to Windows with Driver-Based Stealth

Cybersecurity researchers have identified two new Windows variants of the SprySOCKS backdoor, named WINDRV and WINPLUS, which were previously thought to be exclusive to Linux systems. Both variants feature hard-coded command-and-control configurations and can communicate via TCP, UDP, and WebSocket protocols. They support over 30 commands for operations such as system information collection and file management. WINDRV employs kernel drivers for stealth, obscuring network connections and allowing TCP traffic diversion. SprySOCKS was first documented by Trend Micro in September 2023, linked to the Chinese state-sponsored threat actor Earth Lusca, also known as FishMonger. The Windows variants belong to version 1.8 of SprySOCKS and utilize a kernel driver named RawWNPF for enhanced stealth. The attack chain begins with an initial access method that drops a batch script, leading to the installation of the backdoor. Evidence suggests these variants may have been used in attacks against government organizations in Honduras, Taiwan, Thailand, and Pakistan between 2023 and 2024. The WINPLUS variant was first detected in July 2024 in Pakistan. There are indications of a potential UEFI bootkit involvement exploiting CVE-2023-24932, a vulnerability in the Windows Boot Manager.

AppWizard

June 15, 2026

Soulslike Game The Relic: First Guardian Sets July 31 PC and PS5 Launch, with Xbox and Switch 2 to Follow

Publisher Perp Games and developer Project Cloud Games announced that The Relic: First Guardian will be released on July 31 for PC (Steam) and PlayStation 5, moving up from its initial 2025 release date. Ports for Xbox Series S and X, as well as Nintendo Switch 2, are expected later in the summer. An exclusive retail version for PlayStation 5 will be available on September 4. The game is set in the world of Arsiltus, where players act as a First Guardian to combat a blight. It features over 70 boss encounters, five weapon types, and twelve skill trees, allowing for personalized builds. The stamina system is designed for dodging and blocking only, freeing players to attack without resource constraints. Progression is based on collectible items called Relics, which offer over 70 passive effects that enhance combat dynamics. PC system requirements have not yet been disclosed.

Tech Optimizer

June 12, 2026

Fake verification pages are stealing Steam accounts from players

Online gamers are being warned about a scam targeting Steam accounts through counterfeit FACEIT verification pages that look authentic. These fraudulent sites feature official branding and functional links, tricking users into entering their passwords. The scam is particularly aimed at FACEIT players, as it exploits the connection between FACEIT and Steam, where players link their accounts. The scam starts with a website mimicking an official FACEIT page, claiming to offer free identity verification. Scammers use lookalike URLs, such as faceit-discord.com and faceit-clubs-verify.com, to deceive users. The site may display subtle errors, like conflicting copyright dates, and encourages users to click a “Sign in through Steam” button, which leads to a fake login window designed to steal user credentials. To protect against this scam, users should verify the website address, be cautious of blurry QR codes, treat urgent messages as suspicious, navigate directly to official sites, and consider using tools like Malwarebytes Browser Guard. If users have already entered their details, they should change their Steam password, enable Steam Guard, and check for unauthorized activity. The scam's effectiveness lies in its convincing presentation and the use of Browser-in-the-Browser attacks, which manipulate the perceived address bar.