proxy Archives

AppWizard

May 12, 2026

This devious Android malware has returned disguised as TikTok or streaming apps — and is now using blockchain to remain undetected

Researchers at ThreatFabric have identified a new variant of the TrickMo banking trojan, named TrickMo.C, targeting Android users in Europe since January 2026. TrickMo.C disguises itself as popular applications like TikTok and streaming services, using tactics such as phishing overlays to harvest login credentials and sensitive information. It can log keystrokes, record screens, livestream content, intercept SMS messages, suppress OTP notifications, modify the clipboard, filter notifications, and capture screenshots. The primary targets are in France, Italy, and Austria, allowing unauthorized access to bank accounts and cryptocurrency wallets. TrickMo.C distinguishes itself by using the TON network for communication, which enhances anonymity and complicates detection efforts.

AppWizard

May 12, 2026

TrickMo Android Malware Targets Banking, Wallet, and Authenticator Apps

TrickMo, an Android banking malware, has re-emerged with enhanced stealth and operational capabilities, targeting banking, fintech, wallet, and authenticator apps. It retains its core device takeover abilities while improving stealth, persistence, and flexibility. The malware persuades users to grant accessibility permissions, allowing full remote control, including real-time screen viewing. A significant advancement is its shift to The Open Network (TON) for command-and-control communication, complicating takedown efforts. TrickMo has been actively deployed in France, Italy, and Austria since early 2026, using fake login overlays to capture credentials while recording user activity. It communicates through .adnl endpoints within the TON network and employs DNS-over-HTTPS for encrypted DNS queries. The malware's modular design includes a primary application as a loader and a dynamically loaded APK module called “dex.module” for malicious capabilities. It features network reconnaissance and tunneling capabilities, allowing commands like HTTP probing and establishing SSH tunnels, which can bypass fraud detection systems. Dormant features suggest potential for future capabilities without altering the core application. Indicators of compromise include specific SHA-256 hashes and package names associated with TrickMo's various components.

AppWizard

May 11, 2026

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

Modern Android banking malware is evolving with architectural enhancements for increased stealth, resilience, and operational flexibility. In early 2026, a new variant of the TrickMo Android banking trojan was identified, actively targeting banking and wallet users in France, Italy, and Austria. This variant has replaced its predecessor in ongoing campaigns and has transitioned its command-and-control traffic to The Open Network (TON). Key features of the new TrickMo variant include: - The primary command-and-control channel now operates over TON, utilizing .adnl endpoints through an embedded local TON proxy. - It employs a runtime-loaded APK (dex.module) with enhanced functionalities, including reconnaissance, SSH tunneling, and SOCKS5 proxying, allowing infected devices to act as network pivots. - TrickMo is classified as Device Take Over (DTO) malware, targeting banking, fintech, wallet, and authenticator applications on Android devices. - Operators gain control over infected devices through accessibility-service permissions, enabling capabilities such as credential phishing, keylogging, screen recording, remote control, and SMS interception. The new variant features a modular architecture with a host APK functioning as a launcher and persistence layer, while offensive capabilities are delivered through the dynamically loaded dex.module. Significant enhancements include network reconnaissance commands (curl, dnslookup, ping, telnet, traceroute) and socket-level tunneling via an embedded SSH client. Indicators of compromise include specific SHA-256 hashes and package names associated with TrickMo dropper applications and host applications. The malware retains unused permissions for NFC capabilities, suggesting a strategic approach to device filtering.

AppWizard

May 9, 2026

America is about to get tougher on VPNs

Numerous countries have implemented restrictions on online access, requiring users to verify their identities to view adult content. In Utah, Bill S.B. 73 has taken effect to prevent children from using VPNs to bypass age verification for adult content. The bill prohibits commercial entities from facilitating or encouraging the use of VPNs to circumvent age verification requirements. It lacks clarity on what constitutes "material harmful to minors," leading to varied interpretations. The bill also states that individuals are considered to be accessing a website from Utah if they are physically located in the state, regardless of VPN use, which poses challenges for website operators in determining user locations.

TrendTechie

May 5, 2026

Выпуск qBittorrent 5.2.0

qBittorrent 5.2.0 was released on May 3, 2026, as an open-source torrent client developed with the Qt toolkit. It is available for Linux, Windows, and macOS, and its source code is on GitHub under the GPLv2+ license. The project started with version 4.0 in November 2017, followed by versions 5.0 in September 2024 and 5.1 in April 2025. Key features include an integrated search engine, RSS feed subscription, remote management, and advanced torrent settings. Version 5.2.0 includes enhancements such as an advanced tracker status filter, removal of subcategory restrictions, asynchronous block calculations, reduced resume times for paused downloads, configurable RSS feed refresh times, SOCKS4/SOCKS4a proxy support for the search engine, and various improvements to the web interface and user customization options. Support for builds with Qt 6.5 has been discontinued.

Tech Optimizer

May 3, 2026

ProxySQL Releases 3.0.6 And Advances AI Integration Roadmap

ProxySQL has released version 3.0.6, introducing a multi-tier strategy with three tiers: Stable, Innovative (3.1.x), and AI/MCP (4.0.x). Version 3.0.6 enhances PostgreSQL support, improves authentication mechanisms, updates Prometheus metrics, and refines macOS support. The Innovative tier features an embedded time-series database and a traffic observer. The AI/MCP tier explores native integrations for proxy-level Retrieval-Augmented Generation (RAG) and autonomous database management.

Tech Optimizer

April 30, 2026

Inside the Architecture of an MCP Server for PostgreSQL

The Model Context Protocol (MCP) serves as a standard interface between large language models (LLMs) and external systems like PostgreSQL, emphasizing the importance of control over mere connectivity. An MCP server must act as a mediation and policy layer, enforcing security boundaries and ensuring that connections default to read-only. It should validate AI-generated SQL as untrusted input, encapsulate queries within transactions, and apply execution-time controls. The server must separate query generation from execution approval to manage operational costs and enforce guardrails on query types, such as limiting the number of rows returned. Token efficiency is crucial, with design considerations for compact data representation and schema introspection. In production, connection management is vital to prevent data leakage among multiple AI agents, and observability through logging executed queries and metadata is necessary for debugging and compliance. Long-running sessions require support for paginated responses to manage context effectively. Overall, the MCP server must integrate security, query safety, token efficiency, and observability into its design from the outset.

Tech Optimizer

April 15, 2026

Connecting .NET Lambda to Amazon Aurora PostgreSQL via RDS Proxy

Many organizations are modernizing legacy .NET applications while reducing database costs and enhancing scalability, particularly during migrations to AWS Lambda and transitions from SQL Server to Amazon Aurora PostgreSQL-Compatible Edition. The process involves connecting Lambda functions to Aurora PostgreSQL using Amazon RDS Proxy, with AWS Secrets Manager managing secure credential storage. The architecture includes a .NET Lambda function interfacing with Aurora PostgreSQL via RDS Proxy, which provides connection pooling to minimize database connection overhead. The solution requires a CloudFormation template to provision resources such as a VPC with private subnets, an Aurora PostgreSQL cluster, RDS Proxy, and Secrets Manager. The RDS Proxy is configured with parameters including PostgreSQL engine family, idle client connection timeout, and Secrets Manager secret. A Windows EC2 instance is provisioned, and access is facilitated through AWS Systems Manager Fleet Manager. The solution includes creating a sample table named "employee" in the database and a new .NET Lambda project that utilizes Npgsql for database connections. The Lambda function is deployed using the AWS CLI, and testing involves invoking the function and retrieving logs from Amazon CloudWatch. Finally, resources created during the process should be deleted to prevent ongoing charges.

AppWizard

April 14, 2026

Mirax RAT Targets Android Devices Through Meta Apps

Mirax is a remote access Trojan (RAT) targeting Android devices in Spanish-speaking countries, identified by Outpost24's KrakenLabs in early March. It propagates fraudulent advertisements on Meta-owned applications, allowing cybercriminals to gain initial access. Mirax can interact with compromised devices in real time, converting them into residential proxy nodes through ads on platforms like Facebook and Instagram. It uses SOCKS5 protocol and Yamux multiplexing to establish proxy channels and uncover victims' IP addresses. The malware captures keystrokes, steals sensitive data, executes commands, and monitors user activity. It employs overlay pages to steal credentials and orchestrates distribution through Meta ads and GitHub for malicious APK files. Users are tricked into enabling installations from "unknown sources," and the malware disguises itself behind video playback features. Additionally, a threat actor has been offering Mirax as a malware-as-a-service (MaaS) on illicit forums, with subscription prices starting at ,500 for three months. This service is described as highly controlled and exclusive, primarily targeting Russian-speaking actors in underground communities.

Tech Optimizer

April 13, 2026

Fake Claude site installs malware that gives attackers access to your computer

Claude, an AI tool developed by Anthropic, receives nearly 290 million web visits monthly and has become a target for cybercriminals. A fake website has been found that impersonates Claude, distributing a trojanized installer named Claude-Pro-windows-x64.zip. This installer, while appearing legitimate, deploys PlugX malware, granting attackers remote access to users' systems. The fraudulent site mimics the official download page and uses passive DNS records linked to commercial bulk-email platforms, indicating active maintenance by the operators. The ZIP file contains an MSI installer that incorrectly spells "Claude" as "Cluade" and creates a desktop shortcut that launches a VBScript dropper. This script runs the legitimate claude.exe while executing malicious activities in the background, including copying files to the Windows Startup folder to ensure persistence after reboot. The attack utilizes a DLL sideloading technique recognized by MITRE as T1574.002, where a legitimate G DATA antivirus updater is exploited with a malicious DLL. Within 22 seconds of execution, the malware establishes a connection to an IP address associated with Alibaba Cloud, indicating control over the compromised system. The dropper script also employs anti-forensic measures to delete itself and the VBScript after deployment. Indicators of compromise include the filenames Claude-Pro-windows-x64.zip, NOVUpdate.exe, avk.dll, and NOVUpdate.exe.dat, along with the network indicator 8.217.190.58:443 (TCP) as the command and control destination. Users are advised to download Claude only from the official site and to remain vigilant against potential compromises.