Deception Archives

AppWizard

May 3, 2026

Who is YouTuber Marlow? Minecraft Crystal PvP star accused of hacking, catfishing, fake face reveal, and massive deception scandal

Marlow became a notable figure in Minecraft's Crystal PvP scene, known for her montage videos and distinctive blue and white-haired skin, attracting a large following. However, concerns arose about the authenticity of her content, leading to a scandal involving allegations of deception regarding her identity, with claims that she might be a man using the alias "Danger Mario." Accusations included cheating in ranked matches, staging PvP recreations, and using AI-generated voice tools to maintain her female persona. A report by Dexerto in May 2026 brought the controversy to wider attention, resulting in significant upheaval within MC Tiers, including staff resignations and credibility issues. Prominent players began distancing themselves from Marlow, raising questions about trust and integrity in the competitive Minecraft community.

AppWizard

May 2, 2026

Minecraft PvP scandal claims top player is a catfishing fraud

Marlow, a top player in the Minecraft PvP community, faces serious allegations of faked gameplay, manipulated proof videos, and misleading practices. Accusations suggest that Marlow's rise in the MC Tiers rankings was based on deceit, with investigative journalist Karl Jobst highlighting the lack of live-streamed gameplay and unedited footage. A handcam response video released by Marlow showed discrepancies between match logs and the footage, leading to claims that the fights were fabricated. Marlow admitted that many montages were staged. Investigations linked Marlow to another player, Danger Mario, who allegedly helped create Marlow's YouTube presence and used cheats. A face reveal video raised further skepticism about Marlow's identity, as the individual did not engage in gameplay and had a different voice. Initially banned by MCT for being suspected as Danger Mario, Marlow was reinstated after a face reveal and alleged verification, causing backlash and staff resignations. Claims emerged that the face reveal individual was linked to MCT staff member The Randomizer, who admitted to paying someone to impersonate Marlow. The MCT Discord was reportedly transferred to Minecraft YouTuber DrDonut, with ongoing discussions about new ownership involving Dream. The controversy raises significant questions about the integrity of the Minecraft competitive scene.

AppWizard

April 28, 2026

10,000 Users Exposed As Fake Document Reader App Delivers Anatsa Banking Trojan

Security researchers from ThreatLabz discovered a malicious document reader app on the Google Play Store that delivered the Anatsa Android banking trojan. The app, which had over 10,000 downloads before its removal, disguised itself as a legitimate file management tool using the package name com.groundstation.informationcontrol.filestationbrowsefilesreaddocs. It employed a "dropper" technique to hide its malicious code, connecting to an external server to retrieve the malware payload after installation. Anatsa is designed to steal financial information by overlaying a fake login screen over legitimate banking apps, capturing user credentials and enabling unauthorized transactions. Users are advised to delete the app and monitor their financial accounts. Technical indicators for identifying infections include the Anatsa Installer SHA256 (5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20), Payload URL (http://23.251.108[.]10:8080/privacy.txt), Payload SHA256 Hash (88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f), and Command and Control servers (http://172.86.91[.]94/api/ and http://193.24.123[.]18:85/api/).

AppWizard

April 8, 2026

VP Duterte warns public vs individuals posing as her on messaging app

Vice President Sara Duterte has warned the public about individuals impersonating her on messaging platforms. She posted on her Facebook and the Office of the Vice President's official page, advising citizens to be cautious of suspicious messages claiming to be from her. A screenshot of a conversation was included where the impersonator requested a list of supportive congressmen. Duterte emphasized not to engage, share personal information, or send money, stating she does not solicit favors from the public.

AppWizard

April 8, 2026

The FBI Warns That Foreign Cybercriminals Have Targeted Messaging App Users

Cybercriminals connected to Russian intelligence are conducting a large phishing campaign targeting messaging applications, impacting thousands of accounts worldwide. A joint advisory from the FBI and CISA reveals that these attacks focus on individuals with access to sensitive information, including government officials, military personnel, political figures, and journalists. The campaign relies on deception, with attackers impersonating official support channels on platforms like Signal, sending messages that prompt victims to click malicious links or provide confidential information. Victims who comply risk losing control of their accounts, allowing attackers to read private messages and access contact lists. This trend has been observed not only in the U.S. but also in the Netherlands, where similar tactics are used against government employees. The FBI notes that the security of the messaging apps is not the issue; rather, the vulnerability lies in human error. The rise of social engineering tactics poses a risk to both high-profile individuals and potentially everyday users, and users are advised to be cautious with unsolicited messages and not to share sensitive information.

AppWizard

March 21, 2026

Cyber actors linked to Russia target messaging app users, FBI warns

The United States has issued a warning about cyber actors linked to Russian intelligence targeting users of commercial messaging applications, particularly Signal, compromising thousands of accounts worldwide. The FBI and CISA released a public service announcement detailing the operation's focus on individuals of “high intelligence value,” including U.S. government officials, military personnel, political figures, and journalists. Attackers have not breached the encryption of these platforms but manipulate users into disclosing credentials or linking devices. Russian intelligence-linked actors often pose as official support accounts, creating urgency to obtain security codes. Dutch intelligence agencies also reported a similar campaign targeting Signal and WhatsApp accounts of dignitaries and military personnel. Users are urged to be cautious of suspicious messages and to avoid sharing personal information. Signal reaffirmed that its encryption remains intact, emphasizing that vulnerabilities arise from user behavior rather than technical flaws in the application itself.

Tech Optimizer

March 13, 2026

Zombie ZIP vulnerability lets compressed malware leisurely stroll past 95% of antivirus apps — security suites are blissfully unaware of security issue

The Zombie ZIP exploit is a vulnerability that allows malware to bypass most antivirus solutions by misleading them about the nature of ZIP file contents. It takes advantage of the ZIP file structure, presenting itself as uncompressed data while hiding compressed information. This vulnerability can be easily implemented in Python with minimal code. The Computer Emergency Response Team (CERT) has issued advisory VU#976247, and the vulnerability is listed as CVE-2026-0866. Systems administrators are advised to be vigilant regarding ZIP files on their networks.

AppWizard

March 12, 2026

Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

Cybersecurity researchers have identified six new families of Android malware designed to extract sensitive data and facilitate financial fraud. Notable threats include: - PixRevolution: Targets Brazil's Pix payment platform, activates during Pix transfers, and uses real-time monitoring to intervene in transactions. Victims are tricked into installing malicious apps from counterfeit Google Play Store listings, which enable accessibility services for the malware to capture screens and overlay fake interfaces to reroute funds. - BeatBanker: Spreads through phishing attacks disguised as legitimate Google Play Store pages. It uses an inaudible audio loop for persistence, functions as a banking trojan, and includes a cryptocurrency miner. It creates deceptive overlays for platforms like Binance and Trust Wallet to divert funds and can monitor web browsers and execute remote commands. - TaxiSpy RAT: Exploits accessibility services to gather sensitive information such as SMS messages and call logs, targeting banking and cryptocurrency applications with overlays for credential theft. It employs advanced evasion techniques like native library encryption and real-time remote control. - Mirax: A private malware-as-a-service (MaaS) offering with a subscription model that provides tools for banking overlays and information gathering, including keystrokes and SMS. - Oblivion: Another Android RAT available at a competitive price, featuring capabilities to bypass security measures on various devices. - SURXRAT: Distributed through a Telegram-based MaaS ecosystem, it uses accessibility permissions for persistent control and communicates with a Firebase-based command-and-control infrastructure. Some samples incorporate a large language model component, indicating experimentation with AI by threat actors.

AppWizard

February 19, 2026

Massiv: When your IPTV app terminates your savings

Massiv is an Android banking Trojan that disguises itself as legitimate applications, primarily targeting users in southern Europe. It is distributed through side-loading and is capable of remote control over infected devices, enabling Device Takeover attacks that can lead to unauthorized banking transactions. Massiv often masquerades as IPTV applications to attract users seeking online television services. The malware employs overlay functionality to create deceptive screens, keylogging to capture sensitive information, and SMS/Push message interception. It can monitor applications on infected devices and present fake overlays to prompt users for sensitive data. Notably, it has targeted the Portuguese government application gov.pt and connects with Chave Móvel Digital, a digital authentication system, to access victims' banking accounts. Once it captures sensitive data, Massiv allows operators remote access to the device using Android’s AccessibilityService, facilitating real-time observation and manipulation of the user interface. It communicates over a WebSocket channel and supports screen streaming and UI-tree modes for enhanced control. Massiv's distribution includes malware droppers that initially do not contain malicious code but open a WebView to an IPTV website while the actual malware operates in the background. This tactic has increased in recent months, particularly in Spain, Portugal, France, and Turkey. Indicators of compromise include specific SHA-256 hashes and package names associated with the malware. The bot commands allow operators to perform various actions on the infected device, such as clicking coordinates, installing APKs, and showing overlays.

Winsage

February 18, 2026

Attackers steal Windows users’ data using fake CAPTCHA checks

Fraudsters are using counterfeit CAPTCHA confirmation pages to deploy StealC, an information-stealing malware targeting Windows systems. Users are tricked into visiting compromised websites where a fake CAPTCHA prompts them to execute a sequence of keystrokes that runs a malicious PowerShell command. This command connects to a remote server, downloads shellcode, and injects the StealC payload into svchost.exe. Once installed, StealC collects sensitive information such as browser credentials, email data, and cryptocurrency wallet details, facilitating fraud and account hijacking. The malware operates primarily in the system's RAM, making detection difficult.