malware tactics Archives

AppWizard

September 17, 2025

224 Malicious Android Apps on Google Play With 38 Million Downloads Delivering Malicious Payloads

A mobile ad fraud operation called "SlopAds" infiltrated the Google Play Store with 224 malicious applications, which collectively achieved over 38 million downloads across 228 countries. The operation utilized advanced steganography and obfuscation techniques to deliver fraudulent advertising payloads while avoiding detection. SlopAds activated its fraud system selectively based on specific advertising campaigns, generating around 2.3 billion fraudulent bid requests daily, primarily from the United States (30%), India (10%), and Brazil (7%). The malicious apps exploited Firebase Remote Config to retrieve encrypted data for downloading a primary fraud module named "FatModule." This module was concealed within PNG image files, allowing it to bypass traditional security measures. The FatModule included anti-analysis features to evade detection by security researchers. Google has since removed all identified SlopAds applications from the Play Store and implemented protections through Google Play Protect.

Tech Optimizer

July 7, 2025

XWorm RAT Deploys New Stagers and Loaders to Bypass Defenses

The XWorm Remote Access Trojan (RAT) has evolved its attack strategies by incorporating advanced stagers and loaders to evade detection. It is known for its capabilities, including keylogging, remote desktop access, data exfiltration, and command execution, and is particularly targeted at the software supply chain and gaming sectors. Recent campaigns have paired XWorm with AsyncRAT for initial access before deploying ransomware using the leaked LockBit Black builder. XWorm utilizes various file formats and scripting languages for payload delivery, often through phishing campaigns with deceptive lures like invoices and shipping notifications. It employs obfuscation techniques, including Base64 encoding and AES encryption, and manipulates Windows security features to avoid detection. Persistence mechanisms such as registry run keys and scheduled tasks ensure sustained access. XWorm conducts system reconnaissance, queries for antivirus software, and attempts to disable Microsoft Defender. It can propagate via removable media and execute commands from command-and-control servers. The Splunk Threat Research Team has developed detections for suspicious activities related to XWorm infections. Indicators of compromise include various file hashes for different scripts and loaders associated with XWorm.

Winsage

June 26, 2025

Researchers Demonstrate Windows Registry Manipulation via C++ Program

Cybersecurity researchers have developed a C++ program that demonstrates how attackers manipulate the Windows Registry to establish persistence, evade security measures, and alter system behavior. The Windows Registry is a database for system, application, and user settings, making it a target for malware. Key tactics include: - Persistence: Malware adds entries to auto-start locations to survive system reboots. - Evasion: Attackers modify security-related keys to circumvent defenses. - Privilege Escalation: Weak permissions on service keys can allow redirection of execution paths. The C++ program uses Windows API functions to create or modify registry keys, simulating real-world malware tactics. Key functions include: - RegCreateKeyEx: Opens or creates a registry key. - RegSetValueEx: Writes a value into the specified key. Red teamers use such code to simulate threats, focusing on persistence, configuration tampering, and payload storage. Blue teams can mitigate risks through monitoring, restricting permissions, and endpoint detection. The demonstration emphasizes the importance of ethical testing practices and the need for proactive registry monitoring and least-privilege access controls in cybersecurity.