evasion Archives

BetaBeacon

March 19, 2026

Tencent’s Arena Breakout enters India with closed beta on Android and iOS

- Players can access the beta of Arena Breakout by registering through the official link shared by the company and downloading the game via platform-specific links. - The rollout is being conducted in batches, so not all registrants will receive immediate entry.

AppWizard

March 12, 2026

Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets

Cybersecurity researchers have identified six new families of Android malware designed to extract sensitive data and facilitate financial fraud. Notable threats include: - PixRevolution: Targets Brazil's Pix payment platform, activates during Pix transfers, and uses real-time monitoring to intervene in transactions. Victims are tricked into installing malicious apps from counterfeit Google Play Store listings, which enable accessibility services for the malware to capture screens and overlay fake interfaces to reroute funds. - BeatBanker: Spreads through phishing attacks disguised as legitimate Google Play Store pages. It uses an inaudible audio loop for persistence, functions as a banking trojan, and includes a cryptocurrency miner. It creates deceptive overlays for platforms like Binance and Trust Wallet to divert funds and can monitor web browsers and execute remote commands. - TaxiSpy RAT: Exploits accessibility services to gather sensitive information such as SMS messages and call logs, targeting banking and cryptocurrency applications with overlays for credential theft. It employs advanced evasion techniques like native library encryption and real-time remote control. - Mirax: A private malware-as-a-service (MaaS) offering with a subscription model that provides tools for banking overlays and information gathering, including keystrokes and SMS. - Oblivion: Another Android RAT available at a competitive price, featuring capabilities to bypass security measures on various devices. - SURXRAT: Distributed through a Telegram-based MaaS ecosystem, it uses accessibility permissions for persistent control and communicates with a Firebase-based command-and-control infrastructure. Some samples incorporate a large language model component, indicating experimentation with AI by threat actors.

Tech Optimizer

March 11, 2026

Attackers Use Malformed ZIP Archives to Evade Antivirus and EDR Tools

Cybersecurity researchers at the CERT Coordination Center (CERT/CC) have identified a new evasion technique, VU#976247, used by threat actors to exploit malformed ZIP archives and bypass Antivirus (AV) and Endpoint Detection and Response (EDR) systems. Attackers manipulate the internal headers of ZIP files, particularly altering the compression method field, which causes security tools to fail in analyzing the malicious payload. While some security products may flag the modified files as corrupted, they often do not detect the underlying malicious code. Standard extraction tools typically trust the tampered metadata and may return errors, leaving the hidden payload undisclosed. Attackers use custom malware loaders to extract and execute the malicious data, circumventing traditional AV detection. Cisco has been confirmed as affected, while other vendors, including AhnLab, Avast, Bitdefender, and Avira, have an “Unknown” status regarding their vulnerability. To mitigate this threat, organizations should enhance archive handling processes, avoid relying solely on declared metadata, adopt aggressive detection modes, flag metadata inconsistencies, and consult with AV and EDR providers about vulnerabilities.

Tech Optimizer

March 11, 2026

Malformed ZIP Files Allows Attackers to Bypass Antivirus and EDR Detections

A vulnerability identified as CVE-2026-0866 allows malicious actors to exploit malformed ZIP headers to bypass antivirus and Endpoint Detection and Response (EDR) systems. This flaw occurs because most security solutions rely on metadata within ZIP archives to scan and process files. When the compression method field is altered, security scanners may fail to decompress the archive correctly, resulting in a false negative and leaving the malicious payload undetected. Attackers can then use a custom loader to access the embedded malicious data, circumventing standard extraction tools. Cisco has been confirmed as affected by this vulnerability, while nearly 30 other security vendors have not disclosed their status. The cybersecurity community is urged to evolve scanning methodologies, including not relying solely on declared metadata and implementing aggressive detection modes. Organizations should verify their antivirus and EDR solutions for vulnerability to CVE-2026-0866 and monitor for custom loaders.

AppWizard

March 11, 2026

New BeatBanker Android malware poses as Starlink app to hijack devices

A newly identified Android malware called BeatBanker disguises itself as a Starlink application on fake Google Play Store websites. It functions as a banking trojan and includes Monero mining capabilities, allowing it to steal credentials and manipulate cryptocurrency transactions. Researchers at Kaspersky traced BeatBanker to campaigns targeting users in Brazil. The latest version uses the BTMOB RAT for remote access, enabling keylogging, screen recording, camera access, GPS tracking, and credential capture. BeatBanker is distributed as an APK file that decrypts and loads hidden code into memory, conducting environment checks before activation. It presents a fake Play Store update screen to trick users into granting permissions for additional payloads. To avoid detection, it delays malicious operations and plays a nearly inaudible MP3 file to maintain persistent activity. The malware uses a modified version of the XMRig miner to mine Monero on Android devices, connecting to mining pools through encrypted TLS connections. It can start or stop mining based on device conditions and uses Firebase Cloud Messaging to relay device information to its command-and-control server. Currently, BeatBanker infections have only been observed in Brazil, but there are concerns about its potential spread. Users are advised to avoid side-loading APKs from untrusted sources and to review app permissions regularly.

Winsage

March 2, 2026

Fake Xeno and Roblox Utilities Used to Install Windows RAT, Microsoft Warns

Cybersecurity experts at Microsoft Threat Intelligence have identified a trend where attackers distribute counterfeit gaming tools that install a remote access trojan (RAT) on users' systems. These trojanized executables, such as Xeno.exe or RobloxPlayerBeta.exe, are shared through browsers and chat platforms. The initial executable acts as a downloader, installing a portable Java runtime environment and launching a harmful Java archive, jd-gui.jar. Attackers use built-in Windows tools to execute commands via PowerShell and exploit trusted system binaries, minimizing detection risk. The embedded PowerShell script connects to remote locations, downloads an executable as update.exe, and executes it. The malware erases evidence of the downloader and modifies Microsoft Defender settings to allow RAT components to function undetected. It establishes persistence through scheduled tasks and a startup script named world.vbs, enabling prolonged access to the compromised device. Microsoft Defender can detect the malware and its behaviors, and organizations are advised to monitor outbound traffic and block identified domains and IP addresses. Users are encouraged to scrutinize Microsoft Defender exclusions and scheduled tasks for irregularities and remain cautious about downloading tools from unofficial sources.

AppWizard

February 23, 2026

Resident Evil Requiem is this week’s headline PC game but don’t forget the Witchers, pirates and pinballs

Steam Next Fest is currently taking place, showcasing a variety of game demos. This year, the focus is on highlighting exciting demos rather than creating a wishlist. Some notable games featured include: - A game inspired by hiding spiders under cups at holiday parties, which includes power-up cards that are not microtransactions. - Rise Of Piracy, an early access RTS by MicroProse, where players command a fleet of corsairs and can engage in diplomacy and trading. - Emberbane, a 2D metroidvania with elemental martial arts elements. - Reigns: The Witcher, a deck-building narrative game set in the Witcher universe, where players control Dandelion. - Utawarerumono: ZAN 2, an anime-style hack-and-slash game with base management and humorous elements. - Spellcasters Chronicles, a 3v3 wizard MOBA from Quantic Dream. - Tales of Berseria Remastered, a revamped action-RPG from Bamco. - Snägäri Pinball, a pinball game themed around Finland’s late-night snack kiosks. - Resident Evil Requiem, Capcom's latest horror installment featuring both third-person and first-person gameplay. - Arrow World, a sokoban-style game with conveyor belt mechanics. The RPS team is actively playing Resident Evil Requiem and sharing their experiences.

Winsage

February 20, 2026

Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets

Attackers are using social media advertising, specifically paid Facebook ads, to promote a malware campaign disguised as legitimate Microsoft promotions. They create near-exact replicas of the official Windows 11 download page to lure users into downloading malicious software. The deceptive domains used include ms-25h2-download[.]pro and ms-25h2-update[.]pro. The malware campaign employs geofencing to selectively target victims, redirecting security researchers to benign sites while delivering malware to unsuspecting users. The malicious file, named ms-update32.exe, is hosted on GitHub and mimics the size of a legitimate Windows installer. Once executed, it checks for monitoring tools and, if none are detected, installs an application named "Lunar" that collects sensitive data, including cryptocurrency wallet information. The malware maintains persistence by writing data to the Windows registry and employs various obfuscation techniques to evade detection. The attackers run parallel ad campaigns with different Facebook Pixel IDs to ensure continued operation even if one is suspended. Indicators of compromise include specific file hashes, domains, file system artifacts, and registry keys associated with the malware.

AppWizard

February 19, 2026

PromptSpy Android Malware Abuses Google Gemini to Automate Recent-Apps Persistence

Cybersecurity researchers have identified a new Android malware named PromptSpy that utilizes Google's Gemini AI chatbot to enhance its capabilities and persistence on infected devices. PromptSpy can capture lockscreen data, obstruct uninstallation, gather device information, take screenshots, and record screen activity. It integrates Gemini to analyze the current screen and provide instructions to keep the malware active in the recent apps list. The malware uses a hard-coded AI model and communicates with a command-and-control server via the VNC protocol, allowing remote access to the victim's device. It is financially motivated, targeting users in Argentina, and was developed in a Chinese-speaking environment. PromptSpy is distributed through a dedicated website and is considered an advanced version of a previously unidentified malware called VNCSpy.

AppWizard

February 19, 2026

New ‘Massiv’ Android banking malware poses as an IPTV app

A new strain of Android banking malware called Massiv is disguised as an IPTV application to steal digital identities and access online banking accounts. It uses screen overlays and keylogging techniques to capture sensitive information and can take remote control of compromised devices. Massiv has been observed targeting a Portuguese government application related to Chave Móvel Digital, which contains user data that could bypass know-your-customer (KYC) verifications. The malware allows fraudsters to open accounts in the victim's name at new banks and services, enabling money laundering and loan acquisition. Massiv features two remote control modes: a screen live-streaming mode and a UI-tree mode that extracts structured data from the Accessibility Service. There has been an increase in the use of IPTV applications as bait for Android malware infections, with many of these apps serving as droppers for the malware. The fake IPTV apps primarily target users in Spain, Portugal, France, and Turkey. Users are advised to download applications only from reputable sources and keep security measures active.