cryptocurrency wallet Archives

AppWizard

April 17, 2026

New RecruitRat, SaferRat, Astrinox, Massiv Android Malware Found Targeting 800 Apps

Cybersecurity researchers from Zimperium zLabs have identified four families of Android malware—RecruitRat, SaferRat, Astrinox, and Massiv—targeting banking and cryptocurrency applications. These malware families can extract sensitive information from over 800 applications. They primarily use phishing and smishing to lure users into downloading malicious software. Phishing involves creating fake websites resembling legitimate login pages, while smishing uses urgent text messages with links to download harmful payloads. RecruitRat targets job seekers with fake employment websites, and SaferRat promises free access to premium video services. Astrinox mimics a business tool and has been linked to a fraudulent Apple App Store page, while Massiv's distribution methods remain unclear. Once installed, these malware applications initiate Overlay attacks, displaying counterfeit screens to capture user credentials. They also use a "blindfold" technique to obscure their activities by overlaying static images on the user's screen. The malware can intercept security codes, capture one-time passwords, and employ keylogging techniques. RecruitRat has a library of over 700 counterfeit login pages that activate with targeted apps. Researchers recommend avoiding links in urgent messages and downloading apps only from official sources.

Winsage

April 16, 2026

Fake Proton VPN sites are pushing NWHStealer malware to Windows users

A malware campaign is utilizing counterfeit Proton VPN websites and other deceptive tactics to distribute a Windows infostealer known as NWHStealer. This malware extracts sensitive information, including browser credentials and cryptocurrency wallet details, and operates stealthily by injecting itself into legitimate processes. Two primary infection vectors have been identified: malicious ZIP archives on a free web hosting platform and trojanized installers from fake Proton VPN sites. The malware employs DLL hijacking and can exfiltrate data to a command-and-control server while ensuring persistence through scheduled tasks and disguising payloads as legitimate system processes. It also exploits the Windows cmstp.exe utility to bypass User Account Control. Users are advised to avoid downloading software from unofficial sources and to verify file signatures and publisher information.

Tech Optimizer

April 6, 2026

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that impersonate Strapi CMS plugins. These packages exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and establish persistent implants. Each package consists of three files—package.json, index.js, and postinstall.js—without descriptions or repositories, and all use version 3.6.8 to mimic legitimate Strapi plugins. The malicious packages follow a naming convention starting with "strapi-plugin-" and were uploaded by four accounts within 13 hours. The identified packages include names like strapi-plugin-cron, strapi-plugin-database, and strapi-plugin-server. The malicious code is embedded in the postinstall script, executing automatically upon installation with the same privileges as the user. The payloads evolve from exploiting Redis for remote code execution to attempting direct PostgreSQL database exploitation and deploying persistent implants for remote access. The campaign appears to target cryptocurrency platforms, as indicated by the focus on credential theft and digital assets. Users of these packages are advised to assume compromise and rotate credentials. This incident reflects a broader trend of supply chain attacks in the open-source ecosystem, with recent examples including credential exfiltration payloads in GitHub repositories and compromised GitHub Actions workflows. Group-IB reported that software supply chain attacks are increasingly reshaping the cyber threat landscape, targeting trusted vendors and open-source software to gain access to downstream organizations.

Tech Optimizer

March 27, 2026

Bogus Avast website fakes virus scan, installs Venom Stealer instead

A deceptive website impersonating Avast antivirus tricks users into downloading Venom Stealer malware, which steals passwords, session cookies, and cryptocurrency wallet information. The site conducts a fake virus scan, falsely reporting threats to encourage users to download a malicious file named Avastsystemcleaner.exe. This file mimics legitimate software and operates stealthily, targeting web browsers to harvest credentials and session cookies. It also captures screenshots and sends stolen data to the command-and-control domain app-metrics-cdn[.]com via unencrypted HTTP. The malware employs evasion techniques to avoid detection and is part of a long-standing cybercrime tactic that exploits user trust in security software. Indicators of compromise include the file hash SHA-256: ecbeaa13921dbad8028d29534c3878503f45a82a09cf27857fa4335bd1c9286d, the domain app-metrics-cdn[.]com, and the network indicator 104.21.14.89.

Winsage

February 20, 2026

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are using social media advertising, specifically paid Facebook ads, to promote a malware campaign disguised as legitimate Microsoft promotions. They create near-exact replicas of the official Windows 11 download page to lure users into downloading malicious software. The deceptive domains used include ms-25h2-download[.]pro and ms-25h2-update[.]pro. The malware campaign employs geofencing to selectively target victims, redirecting security researchers to benign sites while delivering malware to unsuspecting users. The malicious file, named ms-update32.exe, is hosted on GitHub and mimics the size of a legitimate Windows installer. Once executed, it checks for monitoring tools and, if none are detected, installs an application named "Lunar" that collects sensitive data, including cryptocurrency wallet information. The malware maintains persistence by writing data to the Windows registry and employs various obfuscation techniques to evade detection. The attackers run parallel ad campaigns with different Facebook Pixel IDs to ensure continued operation even if one is suspended. Indicators of compromise include specific file hashes, domains, file system artifacts, and registry keys associated with the malware.

Winsage

February 18, 2026

Attackers steal Windows users’ data using fake CAPTCHA checks

Fraudsters are using counterfeit CAPTCHA confirmation pages to deploy StealC, an information-stealing malware targeting Windows systems. Users are tricked into visiting compromised websites where a fake CAPTCHA prompts them to execute a sequence of keystrokes that runs a malicious PowerShell command. This command connects to a remote server, downloads shellcode, and injects the StealC payload into svchost.exe. Once installed, StealC collects sensitive information such as browser credentials, email data, and cryptocurrency wallet details, facilitating fraud and account hijacking. The malware operates primarily in the system's RAM, making detection difficult.

BetaBeacon

December 8, 2025

Running Blockchain Games: Android Requirements & Compatibility

Blockchain games use distributed ledgers to store assets and data, including progress tracking and digital economies. Blockchain technology and cryptocurrency integration have transformed digital entertainment, leading to the development of popular Web3 RPG titles like Axie Infinity. Games built on blockchain networks require devices with minimum requirements for Android version compatibility, CPU and GPU performance, RAM, storage, wallet integration, network connectivity, security, and battery life.

AppWizard

December 8, 2025

Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features

Cybersecurity researchers have identified two new families of Android malware, FvncBot and SeedSnatcher, as well as an upgraded version of ClayRat. FvncBot is designed to target mobile banking users in Poland, masquerading as a security application from mBank. It is built from scratch and includes features such as keylogging, web-inject attacks, screen streaming, and hidden virtual network computing (HVNC). It uses a crypting service called apk0day and communicates with a remote server at naleymilva.it.com. FvncBot requests accessibility permissions to operate with elevated privileges and can perform various malicious activities, including exfiltrating data and delivering overlays on targeted applications. SeedSnatcher is disguised as a cryptocurrency wallet app called Coin and is distributed via Telegram. It focuses on stealing cryptocurrency wallet seed phrases and can intercept SMS messages to capture two-factor authentication codes. It employs techniques like dynamic class loading and WebView content injection to evade detection and initially requests minimal permissions before escalating its access. The upgraded ClayRat malware now exploits accessibility services and default SMS permissions, allowing it to record keystrokes, capture screen content, and present deceptive overlays. It has been distributed through fraudulent phishing domains and dropper apps that impersonate legitimate services. The enhanced capabilities of ClayRat enable complete device takeovers and persistent overlays, making it a more significant threat than its previous version.

Tech Optimizer

November 1, 2025

maCERT Warns of Rapidly Spreading Spyware “Acreed”

maCERT, the Moroccan national cybersecurity agency, has issued an alert about a new spyware toolkit called Acreed, which emerged in February 2025. Acreed has become one of the most prevalent information stealers on the dark web, accounting for approximately 17% of underground cyber activity. Its primary function is to infiltrate computers and extract sensitive information, which is then sold or exploited by hackers. Acreed spreads through deceptive emails, infected advertisements, and pirated software downloads. It collects data such as usernames, passwords, browser information, cryptocurrency wallet details, and session tokens for cloud services. The data is transmitted to remote servers controlled by cybercriminals. The risks associated with Acreed affect both individuals and business networks. Recommendations to mitigate the threat include keeping antivirus software updated, monitoring for suspicious activity, avoiding unofficial software downloads, and being cautious with unsolicited emails. Users who suspect infection are encouraged to report it to maCERT for assistance.

AppWizard

October 28, 2025

Telegram Messenger Abused by Android Malware to Seize Full Device Control

Security researchers at Doctor Web have identified a sophisticated Android backdoor, named Android.Backdoor.Baohuo.1.origin, disguised as Telegram X, which has compromised over 58,000 devices globally, with around 20,000 active infections. The malware propagates through malicious websites posing as app catalogs and targets approximately 3,000 different models of devices. It features unprecedented control mechanisms via Redis database integration, allowing extensive manipulation of victims' accounts and devices, including hiding evidence of compromise and autonomously managing messaging functionalities. The malware extracts sensitive data, including SMS messages and clipboard contents, and uploads information to attacker servers every three minutes. Brazil and Indonesia are primary targets, with the malware available on third-party app stores under fraudulent identities.