malicious operations Archives

AppWizard

September 24, 2025

Banking Trojans Target Android Users by Mimicking Government and Legitimate Payment Apps

A financially motivated cybercrime group has been targeting Android users in Indonesia and Vietnam by deploying banking trojans disguised as legitimate government applications. They spoof Google Play Store and App Store interfaces to deliver malicious APKs through obfuscated WebSocket connections, evading traditional security measures. Analysis of over 100 malicious domains shows they use Alibaba ISP, Gname.com for domain registration, and share-dns.net nameservers, with rapid DNS resolutions occurring within about 10.5 hours during peak daytime hours in Eastern Asia. The group's delivery mechanism utilizes the Socket.IO library for real-time WebSocket connections, allowing them to stream malicious APKs in small chunks. The downloaded file, often named IdentitasKependudukanDigital.apk, installs a variant of the BankBot trojan family. Some simpler spoofed sites offer direct download links with mixed language code strings, indicating the use of multilingual templates. Domain registration data from August 2024 to September 2025 shows these threat actors frequently reuse TLS certificates and cluster spoofed sites on identical IP addresses, primarily hosted via Alibaba and Scloud. These domains share server titles and operate on Nginx, with first-seen DNS queries typically lagging 10.5 hours behind registration times. Infections communicate with command and control domains, highlighting a coordinated infrastructure. The campaign emphasizes the need for behavioral detection and real-time traffic inspection to identify anomalous WebSocket file transfers.

Tech Optimizer

August 30, 2025

New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks

Cybersecurity experts have identified a new malware framework called PS1Bot, which features a modular architecture allowing it to perform various malicious actions, including information theft, keylogging, reconnaissance, and establishing persistent access. PS1Bot employs stealth techniques, such as in-memory execution, to minimize its digital footprint and complicate forensic investigations. Active since early 2025, it uses malvertising as a primary infection vector, delivering a compressed archive containing a JavaScript payload that downloads and executes a PowerShell script. This script connects to a command-and-control server to retrieve additional commands and can perform actions like antivirus detection, screen capture, data extraction from cryptocurrency wallets, and maintaining persistence on the infected system. The information stealer module is particularly concerning due to its ability to locate sensitive files related to cryptocurrency. PS1Bot shares technical similarities with AHK Bot and is linked to previous ransomware campaigns using Skitnet. In response to these threats, Google has implemented advanced AI systems to combat invalid traffic, achieving a 40% reduction in deceptive ad practices.

AppWizard

June 19, 2025

Godfather Android malware now uses virtualization to hijack banking apps

A new iteration of the Android malware "Godfather" has emerged, utilizing advanced techniques to create isolated virtual environments on mobile devices for stealthy account data theft and transaction manipulation from legitimate banking applications. It targets over 500 banking, cryptocurrency, and e-commerce applications globally, employing a comprehensive virtual filesystem, virtual Process ID, intent spoofing, and a component called StubActivity. Godfather is delivered as an APK app with an embedded virtualization framework, scanning for installed target applications and launching them within its virtual environment. It intercepts user interactions with genuine banking apps, capturing sensitive data like credentials and PINs while presenting a legitimate interface. The malware can execute commands to unlock devices and initiate transactions while avoiding detection. Godfather first appeared in March 2021 and has evolved significantly since then, with the latest version representing a notable advancement over previous iterations. Users are advised to download apps only from trusted sources and remain cautious about app permissions to protect against this malware.

Winsage

November 7, 2024

Hackers increasingly use Winos4.0 post-exploitation kit in attacks

Hackers are targeting Windows users with the Winos4.0 framework, which is distributed through seemingly harmless game-related applications. This toolkit has capabilities similar to well-known post-exploitation frameworks like Sliver and Cobalt Strike. Initially, a threat actor named Void Arachne attracted victims with modified software like VPNs and Google Chrome for the Chinese market, but recent tactics involve using games and game-related files. The infection process begins when a legitimate installer is executed, downloading a DLL file from “ad59t82g[.]com.” This triggers a multi-step infection process involving the download of a DLL named you.dll, which fetches additional files and modifies the Windows Registry for persistence. The second phase involves injected shellcode that loads APIs and connects to a command-and-control (C2) server, while the third phase retrieves encoded data from the C2 server. The final stage includes loading a login module that performs various malicious actions, such as collecting system information, checking for anti-virus software, gathering data on cryptocurrency wallet extensions, maintaining a backdoor connection to the C2 server, and exfiltrating sensitive information through methods like taking screenshots and stealing documents. Winos4.0 can identify various security tools, including Kaspersky, Avast, and Malwarebytes, allowing it to adjust its behavior based on the environment. Fortinet describes Winos4.0 as a powerful tool for controlling compromised systems, with reports from Fortinet and Trend Micro providing indicators of compromise (IoCs) related to this threat.

Winsage

September 5, 2024

Critical remote code execution vulnerability discovered in Microsoft Windows Wi-Fi drivers

A critical remote code execution (RCE) vulnerability, designated as CVE-2024-30078, has been identified in the Wi-Fi drivers of various Microsoft Windows versions, affecting over 1.6 billion active devices globally. This vulnerability is present in Windows 10, Windows 11, and several Windows Server versions, specifically within the Dot11Translate80211ToEthernetNdisPacket() function of the native Wi-Fi driver (nwifi.sys). It has been actively exploited in regions like the United States, China, and parts of Europe, posing risks to industries reliant on Wi-Fi networks and Windows infrastructure. The vulnerability allows attackers to send specially crafted network packets to gain unauthorized access without requiring advanced techniques or user interaction. The root cause is a flaw in the Link Layer Control (LLC) component of the network stack related to packet length management when using Virtual LAN (VLAN), leading to potential out-of-bounds reads and arbitrary code execution. Successful exploitation can result in malware installation, lateral movement within networks, botnet recruitment, and data exfiltration. Microsoft released a security patch in June 2024 to address this vulnerability. Recommended mitigation strategies include timely patch application, implementing WPA3, using strong passwords, network segmentation, deploying intrusion detection and prevention systems, conducting regular security audits, user education on cybersecurity best practices, and adopting a zero-trust security model.

Winsage

August 20, 2024

Microsoft patches Windows security flaw exploited by North Korean hackers — but is it too late?

Microsoft addressed a privilege escalation vulnerability in the Windows Ancillary Function Driver (AFD.sys) for WinSock, designated as CVE-2024-38193, with a severity score of 7.8. This vulnerability could allow attackers to gain administrative privileges on affected systems. Security firms have linked this flaw to the Lazarus Group, a North Korean state-sponsored hacking organization, which exploited it to gain unauthorized access to sensitive system areas. The group targets individuals in high-stakes fields, including cryptocurrency engineering and aerospace, to infiltrate networks and steal cryptocurrencies. Lazarus Group is known for creating deceptive job offers to lure software developers, with one incident resulting in a theft of approximately 0 million from a cryptocurrency initiative.

Winsage

August 17, 2024

Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove – Check Point Research

Check Point Research (CPR) has identified a new malware variant called Styx Stealer, which extracts sensitive information from users, including browser data, instant messaging sessions from Telegram and Discord, and cryptocurrency assets. Styx Stealer is linked to the developer Sty1x, associated with the threat actor Fucosreal and the Agent Tesla malware. An operational security failure by the developer led to the accidental leak of sensitive data, allowing CPR to trace the malware back to its creator. Styx Stealer inherits functionalities from Phemedrone Stealer, capable of extracting saved passwords, cookies, auto-fill data, and information from browser extensions and cryptocurrency wallets. It can also capture session data from Telegram and Discord, gather system information, and take screenshots. The malware features auto-start capabilities, clipboard monitoring, and enhanced evasion techniques, and is marketed through a subscription model. In March 2024, a spam campaign distributing a malicious TAR archive containing Agent Tesla malware targeted various industries. CPR identified 54 customers who purchased Styx Stealer and Styx Crypter products, generating approximately ,500 in revenue over two months, with payments accepted in cryptocurrencies like Bitcoin and Monero. Styx Stealer employs evasion techniques to avoid detection, including checks for debugging tools and virtual machine environments.

AppWizard

June 26, 2024

Android apps harbor hidden cyber threats

Cyber threat entities are disguising open-source Android applications, such as Instagram and WhatsApp, to conduct malicious cyber operations using the Rafel RAT. This tool can steal data, record audio and video, capture screenshots, and download files from devices. It can also remotely access devices, turn on microphones, access contact lists, trigger device vibrations, and control device cameras without users' knowledge. The Rafel RAT has been used in about 120 malicious operations targeting various countries and high-profile organizations, with Samsung smartphone users being the most affected. Almost 90% of affected devices were running outdated Android versions lacking security patches. To protect against such threats, it is crucial to update antivirus software, avoid downloading apps from unknown sources, and monitor devices for unusual activity.

Tech Optimizer

June 13, 2024

Newswire & Press Release / Cybereason Expands Partnership with Truvisor to Safeguard Enterprises in India – IT Security / Anti-Spam / Cybersecurity – Cybereason, Inc.

Truvisor and Cybereason have collaborated to bring cutting-edge endpoint security solutions to enterprises in India. This collaboration aims to help businesses in India strengthen their cybersecurity resilience against evolving risks by utilizing advanced analytics and automation.

Winsage

June 12, 2024

Hackers are hijacking Windows Search to hit victims with malware

The attack described in the text starts with a phishing email containing a .ZIP archive of an HTML file that bypasses antivirus and email security programs. The HTML file forces the browser to interact with Windows Explorer's search function, ultimately leading victims to download a malicious batch script. The researchers were unable to obtain the payload of the attack as the server was shut down.