reverse engineering Archives

Tech Optimizer

January 22, 2026

Hackers Weaponized 2,500+ Security Tools to Terminate Endpoint Protection Before Deploying Ransomware

A large-scale campaign is exploiting the truesight.sys Windows security driver from Adlice Software’s RogueKiller antivirus to disable endpoint detection and response (EDR) and antivirus solutions, facilitating the deployment of ransomware and remote access malware. This attack utilizes over 2,500 validly signed variants of the driver, allowing attackers to manipulate legacy driver signing rules to load pre-2015 signed drivers on Windows 11 machines. The vulnerable TrueSight driver exposes an IOCTL command that enables attackers to terminate security processes, providing them with kernel-level access to bypass user-mode protections. The infection chain typically starts with phishing emails or compromised sites, leading to the installation of a downloader that retrieves additional malicious components. The malware establishes persistence and deploys an EDR killer module targeting nearly 200 security products. Once defenses are disabled, the final payload, often a remote access trojan or ransomware, executes with minimal visibility, completing the attack in as little as 30 minutes.

AppWizard

December 25, 2025

Android Malware Operations Merge Droppers, SMS Theft, and RAT Capabilities at Scale

Threat actors in Uzbekistan are increasingly using sophisticated tactics to target mobile users, specifically through malicious dropper applications that appear as legitimate software. A recent analysis by Group-IB identified an Android SMS stealer called Wonderland, which was previously known as WretchedCat. Unlike traditional Trojan APKs that activate malware immediately upon installation, Wonderland utilizes droppers that activate malicious payloads locally after installation, even without an internet connection. Wonderland enables bidirectional command-and-control communication, allowing real-time execution of commands, including SMS theft and USSD requests. It disguises itself as Google Play or various file formats to evade detection. The financially motivated group behind this malware, TrickyWonders, uses Telegram for coordination and was first detected in November 2023. Wonderland is associated with two dropper families: MidnightDat and RoundRift. Propagation methods for Wonderland include counterfeit Google Play Store pages, Facebook ads, and fake accounts on dating apps. Attackers exploit stolen Telegram sessions from Uzbek users to distribute APK files. Once installed, Wonderland can access SMS messages, intercept one-time passwords, and siphon funds from victims' bank accounts. It can also retrieve phone numbers, exfiltrate contact lists, suppress security alerts, and send SMS messages from compromised devices. Users must enable installations from unknown sources to sideload the app, often misled by a fake update screen. If granted permissions, attackers can hijack the phone number and log into the associated Telegram account, perpetuating the malware's spread. Wonderland represents a significant evolution in mobile malware in Uzbekistan, moving from basic malware like Ajina.Banker to more sophisticated variants like Qwizzserial. The use of dropper applications enhances its deceptive nature, allowing it to evade security checks. Both the dropper and SMS stealer components are heavily obfuscated, complicating reverse engineering. The supporting infrastructure for Wonderland is dynamic, with rapidly changing domains complicating monitoring efforts. Malicious APKs are generated through a Telegram bot and distributed by a network of threat actors. New strains of malware, such as Cellik, Frogblight, and NexusRoute, have also emerged, each capable of harvesting sensitive information from compromised devices.

AppWizard

October 25, 2025

OWASP Mobile Top 10 for Android – How AutoSecT Detects Each Risk?

Mobile applications account for 70% of global interactions, with over 6.8 billion smartphone users. In 2023, 40% of data breaches are linked to vulnerabilities in mobile applications. The OWASP Mobile Top 10 outlines critical security risks for mobile apps, including: 1. Improper Credential Usage: Mishandling of passwords and session tokens. 2. Inadequate Supply Chain Security: Risks from unverified third-party components. 3. Insecure Authentication/Authorization: Failures in verifying user identities. 4. Insufficient Input/Output Validation: Lack of checks on incoming and outgoing data. 5. Insecure Communication: Unprotected data during transmission. 6. Inadequate Privacy Controls: Poor safeguards for personal data. 7. Insufficient Binary Protections: Lack of defenses against reverse engineering. 8. Security Misconfiguration: Improperly secured application settings. 9. Insecure Data Storage: Weak protection of sensitive information on devices. 10. Insufficient Cryptography: Use of weak or improperly implemented encryption. AutoSecT, an AI-driven mobile app security testing platform, detects these risks through various methods, including static code analysis, software composition analysis, and dynamic testing. It helps developers identify and mitigate vulnerabilities effectively.

AppWizard

October 15, 2025

GhostBat RAT Android Malware Poses as Fake RTO Apps to Steal Banking Data from Indian Users

The GhostBat RAT campaign employs sophisticated malware distribution techniques, utilizing infection vectors such as WhatsApp, SMS with shortened URLs, GitHub-hosted APKs, and compromised websites to deliver malicious Android droppers. These droppers utilize multi-stage workflows, ZIP header manipulation, and string obfuscation to evade detection. The malware includes tools for stealing banking credentials and cryptocurrency miners, directing victims to phishing pages resembling the mParivahan app to collect sensitive information. SMS messages with banking keywords are exfiltrated to command and control servers, while incoming messages may be forwarded for OTP harvesting. Device registration occurs through a Telegram bot named GhostBatRat_bot. In July 2024, Android malware impersonating Regional Transport Office applications was documented, designed to steal contacts and SMS messages. Observations from September 2025 revealed over forty samples propagating through WhatsApp and SMS, ultimately delivering a malicious version of the mParivahan app. The malware initiates phishing activities by requesting SMS permissions and harvesting banking credentials. VirusTotal detections for the malware remain low due to its multi-layered dropper mechanisms and obfuscation techniques. The architecture of GhostBat RAT features multi-stage dropper workflows, native binary packing, and heavy string obfuscation. The first-stage dropper verifies device architecture and manufacturer, while subsequent stages decrypt and execute payloads, including a cryptominer library and a malicious APK for data theft. Victims encounter a counterfeit Google Play update page, leading to the installation of the malicious APK, which requests SMS permissions and presents a phishing interface. Users are prompted to enter their UPI PIN into a fake payment flow, which forwards the PIN to a Firebase endpoint. The campaign highlights the need for careful SMS permission management and vigilance against shortened URLs to combat emerging Android malware threats.

Tech Optimizer

October 10, 2025

From infostealer to full RAT: dissecting the PureRAT attack chain

An investigation revealed that a Python-based infostealer campaign led to the deployment of PureRAT, a sophisticated remote access trojan (RAT). The campaign began with a phishing email containing a ZIP archive that included a legitimate PDF reader executable and a malicious DLL. The DLL executed a series of payloads, including a Python info-stealer that harvested sensitive data and exfiltrated it via the Telegram API. The attack progressed to a .NET executable, which employed techniques like process hollowing and evasion tactics to load additional payloads. The final payload, Mhgljosy.dll, was identified as PureRAT, which established an encrypted command-and-control (C2) channel and allowed for extensive control over the compromised host. The C2 server was traced to Vietnam, suggesting a connection to the PXA group. The malware's functionality included host fingerprinting, command execution, and potential access to sensitive information and resources. Indicators of compromise included specific file hashes, registry keys, and IP addresses associated with the C2 server.

AppWizard

October 2, 2025

This dangerous new Android malware disguises itself as a VPN or IPTV app – so be on your guard

Cybersecurity researchers from Cleafy have identified an Android trojan named Klopatra, which targets banking and cryptocurrency users by stealing funds from banking applications and cryptocurrency from hot wallets. This malware, attributed to a Turkish threat actor, has been active since March 2025 and has undergone 40 iterations. It is distributed through a deceptive app called Modpro IP TV + VPN, which requests Accessibility Services permissions upon installation. Klopatra employs advanced techniques to evade detection, including the use of Virbox for code protection, minimizing Java and Kotlin usage, NP Manager string encryption, and multiple anti-debugging features. Currently, at least 3,000 devices in Europe have been compromised by this malware.

Winsage

September 26, 2025

LNK Malware Leverages Legit Windows Files to Slip Past Defenses

Threat actors from Israel have reintroduced the use of Windows shortcut (.LNK) files to deliver a Remote Access Trojan (RAT). Victims are lured to download a file named “cyber security.lnk” from a Discord channel, which opens a decoy PDF while executing a PowerShell script in the background. The script uses odbcconf.exe to register and execute a malicious DLL (Moq.dll) and its supporting libraries. The RAT can collect system metrics, capture screenshots, upload files via the Dropbox API, and execute commands from a command-and-control (C2) server. It ensures persistence by modifying a registry key to launch on user login. Mitigation strategies include monitoring the execution of legitimate binaries, enforcing application whitelisting, and educating users about the risks of downloading files from untrusted sources.

AppWizard

August 19, 2025

Android VPN apps used by millions are covertly connected AND insecure

Recent research from Arizona State University and Citizen Lab has identified connections among three families of Android VPN applications with over 700 million downloads, raising concerns about user privacy and security. The analysis revealed three groups of VPN providers: 1. Group A: Eight apps from three providers sharing identical Java code and libraries, exhibiting vulnerabilities such as: - Collecting location data against privacy policies. - Using weak encryption methods. - Hard-coded Shadowsocks passwords that could allow traffic decryption. 2. Group B: Eight apps from five providers supporting only the Shadowsocks protocol, sharing libraries and hard-coded passwords, with all servers hosted by GlobalTeleHost Corp. 3. Group C: Two providers with one app each, using a custom tunneling protocol and sharing similar code, vulnerable to connection inference attacks. The research highlighted significant privacy breaches, including undisclosed location data collection and vulnerabilities that could allow eavesdroppers to decrypt communications. Alarmingly, these VPN providers are linked to Qihoo 360, a Chinese company that has concealed this connection, raising concerns about potential data sharing with the government due to China's strict laws. Additionally, the Tech Transparency Project found that many free VPN apps on the Apple App Store are also linked to companies in mainland China or Hong Kong without disclosing these ties.

AppWizard

August 5, 2025

New Android Malware Poses as SBI Card and Axis Bank Apps to Steal Financial Data

McAfee’s Mobile Research Team has identified a malware campaign targeting Android users in India, specifically Hindi speakers. The malware disguises itself as legitimate financial applications from banks like SBI Card, Axis Bank, and IndusInd Bank. It is distributed through phishing websites that mimic official banking portals and uses authentic assets to appear credible. The malware has dual functionality: it exfiltrates personal and financial data and mines Monero cryptocurrency using the XMRig tool, activated remotely via Firebase Cloud Messaging (FCM). It masquerades as a Google Play update, prompting users to install it, which leads to data theft. Upon installation, the malware presents a fake Google Play interface and requests sensitive information, which is sent to a command-and-control server. After data submission, users see a misleading confirmation page. The malware employs a multi-stage dropper to evade detection, with remote activation capabilities that keep it dormant until triggered. Phishing sites promote the malicious APK through SMS, WhatsApp, or social media. McAfee has reported these threats to Google, resulting in the blocking of the associated FCM account. All variants are classified as high-risk, with infections primarily in India but some in other regions. Users are advised to download apps only from Google Play and to be cautious with unsolicited links. Indicators of Compromise (IOCs) include specific APKs for various credit cards and phishing site URLs related to the campaign.

Winsage

August 4, 2025

North Korea Hiding Malware Within JPEG Files to Attack Windows Systems Bypassing Detections

Security researchers at Genians Security Center discovered a new variant of the RoKRAT malware linked to the North Korean APT37 threat group. This malware uses steganography to hide malicious payloads within JPEG files, allowing it to evade traditional antivirus detection. It is typically distributed through malicious shortcut files within ZIP archives, often disguised as legitimate documents. The malware employs a two-stage encrypted shellcode injection method, utilizing PowerShell and batch scripts to execute its payloads in memory. It collects system information, documents, and screenshots, exfiltrating data via compromised cloud APIs. The command and control accounts associated with the malware are linked to Russian email services. Variants of RoKRAT have evolved to include different injection methods and reference specific PDB paths. Indicators of compromise include various MD5 hashes associated with the malware.