blockchain Archives

Winsage

June 19, 2026

Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2

Microsoft has identified a Windows-based cryptocurrency clipper campaign that has been active since February 2026. This campaign uses clipboard-intercepting malware with self-spreading capabilities and operates through the Tor network. The clipper malware employs Windows Script Host and ActiveX to launch a Tor proxy and connect to a hidden command-and-control server. It focuses on stealing clipboard data, particularly cryptocurrency wallet addresses, and can exfiltrate screenshots. The malware is distributed via malicious Windows Shortcut (LNK) files on USB drives, which activate a worm that checks for existing infections and fetches the payload from a remote server. The clipper monitors the clipboard every 500 milliseconds for sensitive information and can replace copied wallet addresses with those controlled by attackers. Microsoft recommends behavioral detections, disabling AutoRun for removable media, blocking LNK execution from drives, and monitoring clipboard-related activities as mitigations against this threat.

AppWizard

June 8, 2026

METABORA GAMES Launches ‘Puzzle & Guardians’ as a LINE MINI App in Japan

On June 8, 2026, METABORA GAMES launched 'Puzzle & Guardians', a collaborative game with Baligames, available as a MINI App on LINE Messenger. The game combines casual three-match puzzle battles and RPG elements, allowing players to collect Guardians and participate in 1v1 PvP duels and dungeon explorations for BORA token rewards. It is accessible to over 100 million LINE users without additional downloads, enhancing user experience. 'Puzzle & Guardians' is integrated with BORA DEEPS, offering customized missions and rewards usable across various BORA DEEPS features. METABORA GAMES plans to expand localized content for the Japanese market and host events to increase the utility of the BORA token.

Winsage

June 2, 2026

PHANTOMPULSE RAT Uses UAC Bypass to Hijack Windows Systems

PHANTOMPULSE is a remote access trojan (RAT) used as a final payload in multi-stage attacks targeting Windows environments. It employs advanced post-exploitation techniques, including process injection, User Account Control (UAC) bypass, and a decentralized blockchain-based command-and-control (C2) mechanism. The malware utilizes three process injection techniques: module stomping, manual DLL mapping, and debug-driven execution. It avoids detection by using direct system calls instead of standard Windows APIs and incorporates a hardware breakpoint mechanism to disable security protections like AMSI and ETW. PHANTOMPULSE retrieves its C2 server address from Ethereum-based transaction data but has a vulnerability that allows defenders to hijack communication. It achieves persistence through scheduled tasks and supports self-healing capabilities. Privilege escalation is done using the "schuac" UAC bypass technique. The malware conducts system reconnaissance focusing on cryptocurrency wallets and messaging apps but does not directly steal credentials. It shows signs of AI-assisted development and shares tactics with DPRK-aligned threat groups, particularly in targeting cryptocurrency platforms.

Winsage

June 2, 2026

New PHANTOMPULSE RAT Campaign Uses UAC Bypass in Windows Attacks

The REF6598 intrusion set has revealed a Remote Access Trojan (RAT) named PHANTOMPULSE, which is distributed via malicious Obsidian plugins. It uses advanced evasion techniques, including a blockchain-based command and control (C2) channel and a public User Account Control (UAC) bypass to infiltrate Windows systems. The malware disables security measures like the Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP) through a hardware-breakpoint technique, allowing it to avoid detection by signature-based memory scanners. PHANTOMPULSE hides its core files in encrypted registry blobs and creates scheduled tasks that appear as .NET Framework updates. Its decentralized C2 framework queries public blockchains for operational data, but it lacks sender authentication, which can be exploited by defenders. The malware inventories the system for antivirus software and targets high-value applications. It employs a UAC bypass technique called “schuac” to gain elevated permissions. Analysts attribute this campaign to DPRK-aligned threat actors, particularly the BlueNoroff group, due to its focus on cryptocurrency wallets and blockchain exploitation. Defenders can identify new infrastructure by searching blockchain ledgers for a specific hex signature associated with the malware's C2 encryption routine.

Tech Optimizer

May 28, 2026

CertiK Launches AI Skill Scanner, An Antivirus Software for the AI Age

CertiK has launched the CertiK Skill Scanner, a security solution designed to protect AI Agents and third-party AI Skills. It targets AI Skill marketplaces, enterprises, developers, and users, focusing on identifying risks during execution, particularly in financial transactions. The scanner can be integrated into publishing pipelines for automatic reviews and provides a scored assessment of risks with verdicts of “pass,” “warn,” or “fail.” It boasts a 90.5% precision rate in identifying security risks. The scanner is already deployed in select Web3 environments and aims to expand its integrations. CertiK, founded in 2017, is a leading Web3 security service provider, having worked with over 5,000 enterprise clients, including Binance and Ant Group.

Tech Optimizer

May 27, 2026

‘Adversaries are no longer just targeting products, they’re targeting the developers who build them’: CrowdStrike takes down major botnet targeting developers across the world

CrowdStrike, Google, and the Shadowserver Foundation dismantled the Glassworm botnet on May 26, 2026, which had been targeting software developers since early 2025. The botnet spread through compromised Visual Studio Code extensions, tainted npm and Python packages, and hacked GitHub repositories, stealing developer credentials and deploying the GlasswormRAT remote access tool across Windows, macOS, and Linux. Glassworm utilized four command-and-control channels: the Solana blockchain, BitTorrent DHT, Google Calendar event titles, and traditional VPS. The operation successfully disrupted all four channels, preventing infected machines from receiving new instructions or payloads.

AppWizard

May 20, 2026

Google’s AI Studio enables rapid Android app creation in minutes

Google has introduced enhanced web-based AI tools in its AI Studio platform, allowing users to generate complete native Android applications from natural-language prompts. This process enables individuals without programming skills to create installable APKs in minutes. The Build mode accepts plain-English descriptions to construct comprehensive native Android projects, which can then be customized in Android Studio. The tools support integration with third-party APIs and Web3 SDKs, allowing AI-generated apps to interact with blockchain functionalities. This development offers opportunities for the cryptocurrency sector, enabling decentralized finance protocols or wallet providers to create lightweight companion apps without extensive engineering teams. The integration with the Android ecosystem positions Google to reshape competitive dynamics in mobile app development. However, there are security concerns regarding the AI-generated code, particularly related to vulnerabilities in rapidly generated mobile apps that interact with smart contracts.

AppWizard

May 12, 2026

This devious Android malware has returned disguised as TikTok or streaming apps — and is now using blockchain to remain undetected

Researchers at ThreatFabric have identified a new variant of the TrickMo banking trojan, named TrickMo.C, targeting Android users in Europe since January 2026. TrickMo.C disguises itself as popular applications like TikTok and streaming services, using tactics such as phishing overlays to harvest login credentials and sensitive information. It can log keystrokes, record screens, livestream content, intercept SMS messages, suppress OTP notifications, modify the clipboard, filter notifications, and capture screenshots. The primary targets are in France, Italy, and Austria, allowing unauthorized access to bank accounts and cryptocurrency wallets. TrickMo.C distinguishes itself by using the TON network for communication, which enhances anonymity and complicates detection efforts.

AppWizard

May 11, 2026

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

Modern Android banking malware is evolving with architectural enhancements for increased stealth, resilience, and operational flexibility. In early 2026, a new variant of the TrickMo Android banking trojan was identified, actively targeting banking and wallet users in France, Italy, and Austria. This variant has replaced its predecessor in ongoing campaigns and has transitioned its command-and-control traffic to The Open Network (TON). Key features of the new TrickMo variant include: - The primary command-and-control channel now operates over TON, utilizing .adnl endpoints through an embedded local TON proxy. - It employs a runtime-loaded APK (dex.module) with enhanced functionalities, including reconnaissance, SSH tunneling, and SOCKS5 proxying, allowing infected devices to act as network pivots. - TrickMo is classified as Device Take Over (DTO) malware, targeting banking, fintech, wallet, and authenticator applications on Android devices. - Operators gain control over infected devices through accessibility-service permissions, enabling capabilities such as credential phishing, keylogging, screen recording, remote control, and SMS interception. The new variant features a modular architecture with a host APK functioning as a launcher and persistence layer, while offensive capabilities are delivered through the dynamically loaded dex.module. Significant enhancements include network reconnaissance commands (curl, dnslookup, ping, telnet, traceroute) and socket-level tunneling via an embedded SSH client. Indicators of compromise include specific SHA-256 hashes and package names associated with TrickMo dropper applications and host applications. The malware retains unused permissions for NFC capabilities, suggesting a strategic approach to device filtering.

BetaBeacon

May 9, 2026

7 Addictive Card and Strategy Games Android Users Should Try in 2026

Hearthstone has a Google Play rating of 4.1+ and has been downloaded over 100 million times.