command-and-control Archives

AppWizard

June 8, 2026

NFCShare Android malware spreads via fake banking app updates on GitHub

New variants of the NFCShare Android malware are disguised as fake updates for legitimate banking applications and are targeting customers of various banks in Europe through a phishing campaign to steal sensitive payment card data. The malware prompts victims to place their cards near the NFC chip of their mobile devices, using Android’s IsoDep interface to read card information, including card number, type, expiry date, and a 4-digit PIN. The stolen data is exfiltrated to the attacker’s command-and-control host via a WebSocket channel. Recent attacks began on May 14, with victims directed to a phishing site that impersonates a legitimate bank and then to a GitHub repository hosting a malicious APK file. The repository has hosted 56 unique APKs impersonating banking applications primarily from Italy and Spain. The malware has evolved from initially targeting Deutsche Bank in Germany to a broader range of banks. The latest version features malformed APK packaging to complicate automated analysis. Users are advised to download banking applications only from Google Play and to be cautious of verification requests that ask for NFC card scans.

Tech Optimizer

June 6, 2026

Hackers Use Fake Purchase Orders to Deploy JS.MonoGlyphRAT Targeting US Enterprises

Researchers have identified a new malware called JS.MonoGlyphRAT, which disguises itself as business documents to infiltrate corporate networks. It is primarily spread through phishing emails targeting various sectors in the U.S. and has been reported in countries like Germany, Sweden, and Australia. The malware is classified as "Unknown malware" on threat intelligence platforms, making traditional antivirus solutions ineffective. It establishes a persistent presence in the network by executing a JavaScript file and communicating with command-and-control (C2) servers over HTTP. Key indicators of compromise include unusual HTTP traffic, registry changes, and the execution of specific JavaScript files. The malware can download additional payloads and execute commands without leaving traces on disk. Indicators of compromise include specific IP addresses, URLs, file hashes, and registry keys associated with the malware's operation.

Winsage

June 2, 2026

PHANTOMPULSE RAT Uses UAC Bypass to Hijack Windows Systems

PHANTOMPULSE is a remote access trojan (RAT) used as a final payload in multi-stage attacks targeting Windows environments. It employs advanced post-exploitation techniques, including process injection, User Account Control (UAC) bypass, and a decentralized blockchain-based command-and-control (C2) mechanism. The malware utilizes three process injection techniques: module stomping, manual DLL mapping, and debug-driven execution. It avoids detection by using direct system calls instead of standard Windows APIs and incorporates a hardware breakpoint mechanism to disable security protections like AMSI and ETW. PHANTOMPULSE retrieves its C2 server address from Ethereum-based transaction data but has a vulnerability that allows defenders to hijack communication. It achieves persistence through scheduled tasks and supports self-healing capabilities. Privilege escalation is done using the "schuac" UAC bypass technique. The malware conducts system reconnaissance focusing on cryptocurrency wallets and messaging apps but does not directly steal credentials. It shows signs of AI-assisted development and shares tactics with DPRK-aligned threat groups, particularly in targeting cryptocurrency platforms.

Tech Optimizer

May 27, 2026

‘Adversaries are no longer just targeting products, they’re targeting the developers who build them’: CrowdStrike takes down major botnet targeting developers across the world

CrowdStrike, Google, and the Shadowserver Foundation dismantled the Glassworm botnet on May 26, 2026, which had been targeting software developers since early 2025. The botnet spread through compromised Visual Studio Code extensions, tainted npm and Python packages, and hacked GitHub repositories, stealing developer credentials and deploying the GlasswormRAT remote access tool across Windows, macOS, and Linux. Glassworm utilized four command-and-control channels: the Solana blockchain, BitTorrent DHT, Google Calendar event titles, and traditional VPS. The operation successfully disrupted all four channels, preventing infected machines from receiving new instructions or payloads.

AppWizard

May 20, 2026

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps

Cybersecurity researchers have identified an ad fraud and malvertising operation called Trapdoor, targeting Android users with 455 malicious applications and 183 command-and-control domains. Users often download these disguised apps, which initiate malvertising campaigns and lead to further downloads of malicious applications. At its peak, Trapdoor generated 659 million bid requests daily, with over 24 million downloads of the associated apps, primarily from the United States. The operation exploits install attribution tools to activate malicious activities only for users acquired through fraudulent ad campaigns, while suppressing such behavior for organic downloads. Trapdoor employs advanced evasion techniques, including obfuscation and impersonation of legitimate software, to avoid detection. Google has removed the identified malicious apps from the Play Store in response to the threat.

AppWizard

May 12, 2026

TrickMo Android Malware Targets Banking, Wallet, and Authenticator Apps

TrickMo, an Android banking malware, has re-emerged with enhanced stealth and operational capabilities, targeting banking, fintech, wallet, and authenticator apps. It retains its core device takeover abilities while improving stealth, persistence, and flexibility. The malware persuades users to grant accessibility permissions, allowing full remote control, including real-time screen viewing. A significant advancement is its shift to The Open Network (TON) for command-and-control communication, complicating takedown efforts. TrickMo has been actively deployed in France, Italy, and Austria since early 2026, using fake login overlays to capture credentials while recording user activity. It communicates through .adnl endpoints within the TON network and employs DNS-over-HTTPS for encrypted DNS queries. The malware's modular design includes a primary application as a loader and a dynamically loaded APK module called “dex.module” for malicious capabilities. It features network reconnaissance and tunneling capabilities, allowing commands like HTTP probing and establishing SSH tunnels, which can bypass fraud detection systems. Dormant features suggest potential for future capabilities without altering the core application. Indicators of compromise include specific SHA-256 hashes and package names associated with TrickMo's various components.

AppWizard

May 11, 2026

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

Modern Android banking malware is evolving with architectural enhancements for increased stealth, resilience, and operational flexibility. In early 2026, a new variant of the TrickMo Android banking trojan was identified, actively targeting banking and wallet users in France, Italy, and Austria. This variant has replaced its predecessor in ongoing campaigns and has transitioned its command-and-control traffic to The Open Network (TON). Key features of the new TrickMo variant include: - The primary command-and-control channel now operates over TON, utilizing .adnl endpoints through an embedded local TON proxy. - It employs a runtime-loaded APK (dex.module) with enhanced functionalities, including reconnaissance, SSH tunneling, and SOCKS5 proxying, allowing infected devices to act as network pivots. - TrickMo is classified as Device Take Over (DTO) malware, targeting banking, fintech, wallet, and authenticator applications on Android devices. - Operators gain control over infected devices through accessibility-service permissions, enabling capabilities such as credential phishing, keylogging, screen recording, remote control, and SMS interception. The new variant features a modular architecture with a host APK functioning as a launcher and persistence layer, while offensive capabilities are delivered through the dynamically loaded dex.module. Significant enhancements include network reconnaissance commands (curl, dnslookup, ping, telnet, traceroute) and socket-level tunneling via an embedded SSH client. Indicators of compromise include specific SHA-256 hashes and package names associated with TrickMo dropper applications and host applications. The malware retains unused permissions for NFC capabilities, suggesting a strategic approach to device filtering.

Winsage

May 11, 2026

Rustinel: Open-source endpoint detection for Windows and Linux

Open-source endpoint detection tools have typically been divided between Windows and Linux, with Windows solutions focused on Sysmon and Linux solutions on eBPF or auditd. Rustinel is a Rust-based endpoint agent that consolidates these efforts by gathering telemetry from both operating systems using ETW on Windows and eBPF on Linux, normalizing the data into a unified model. It evaluates the information against Sigma rules, YARA signatures, and atomic indicators of compromise, storing alerts in ECS-compatible NDJSON format for integration with SIEM or log-analysis platforms. Rustinel supports a range of events on Windows, including process creation, network activity, and PowerShell executions, while Linux support currently includes process, network, file, and DNS telemetry. It operates in user mode on both platforms, requiring specific conditions for installation. Unlike commercial EDR solutions that use kernel drivers, Rustinel's user-mode design prioritizes simplicity and stability, although it acknowledges limitations in tamper resistance and visibility. The agent utilizes three detection engines: Sigma for behavioral matching, YARA for scanning executables, and an IOC engine for deterministic checks. While it leverages existing content familiar to defenders, it has coverage gaps for certain advanced threats. Rustinel is available on GitHub under the Apache 2.0 license.

BetaBeacon

May 5, 2026

ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows

ScarCruft compromised a video game platform in a supply chain attack, trojanizing its components with a backdoor called BirdCall to target ethnic Koreans residing in China. The attack enabled the threat actors to target both Windows and Android devices, turning it into a multi-platform threat. The campaign targeted sqgame[.]net, a gaming platform used by ethnic Koreans in China, known as a transit point for North Korean defectors. BirdCall has features like screenshot capture, keystroke logging, and data gathering, and relies on legitimate cloud services for command-and-control. The Android variant collects various data and has seen active development.

BetaBeacon

May 5, 2026

ScarCruft hackers push BirdCall Android malware via game platform

APT37, also known as ScarCruft and Ricochet Chollima, has developed an Android version of the backdoor BirdCall, which serves as spyware in addition to a backdoor. The malware was delivered through a Chinese website that hosts games for Android, iOS, and Windows, targeting only Android and Windows systems. The Android variant of BirdCall has capabilities such as extracting IP geolocation information, collecting contact lists, call logs, SMS data, device information, taking screenshots, recording audio, and exfiltrating files. Users are advised to download software only from official marketplaces and trusted publisher sites to protect against malware infections.