threat actor Archives

AppWizard

April 9, 2026

Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk

Version 5.2.1 of the EngageSDK was released to address security vulnerabilities related to third-party SDKs, particularly affecting digital asset management applications. Although no exploitation of this vulnerability has been reported, developers are urged to upgrade to the latest version. The Android operating system's security model provides some protections against these vulnerabilities, and the Android team has updated user protections during the transition to the secure version. The vulnerability, classified as severe, allows unauthorized access to protected components and sensitive data through intent redirection. Affected applications, particularly in the cryptocurrency and digital wallet sectors, account for over 30 million installations. The vulnerability was first identified in version 4.5.4 of the EngageLab SDK, reported in April 2025, and was addressed in version 5.2.1 released on November 3, 2025, which set the vulnerable activity to non-exported. Developers are advised to regularly review their Android manifests and upgrade to the latest SDK version to maintain application security.

AppWizard

April 3, 2026

Google Responds As 50 Apps With 2 Million Downloads Hit By Malware

Researchers at McAfee Labs discovered that 50 Android applications on the Google Play Store contain malware known as NoVoice, which can grant full remote access to infected smartphones. These apps have over 2.3 million downloads. The malware can communicate with remote servers, profile devices, and download tailored root exploits, potentially compromising specific hardware and software configurations. However, devices with an Android security patch level of May 2021 or later are not vulnerable to these exploits, as the vulnerabilities were patched by Android between 2016 and 2021. Google Play Protect removes these apps and blocks new installs, and users are advised to keep their devices updated with the latest security patches.

AppWizard

April 1, 2026

‘NoVoice’ Android malware on Google Play infected 2.3 million devices

A new Android malware called NoVoice has been found in over 50 applications on Google Play, with more than 2.3 million downloads. The malware targets older Android versions, specifically those patched between 2016 and 2021, and attempts to gain root access by exploiting vulnerabilities. It conceals malicious components within the com.facebook.utils package and uses steganography to hide an encrypted payload within a PNG image file. NoVoice avoids infecting devices in certain regions and has checks to detect emulators and VPNs. Once activated, the malware contacts its command-and-control server to gather device information and polls it every 60 seconds for tailored exploits aimed at rooting the device. It can exploit 22 vulnerabilities, including kernel bugs, and establishes persistence by replacing key system libraries and installing recovery scripts. The malware injects code into applications, particularly targeting WhatsApp to extract sensitive data for session replication, which is then exfiltrated to the C2 server. The malicious apps containing NoVoice have been removed from Google Play, but users who installed them should consider their devices compromised. Upgrading to devices with later security patches is recommended to mitigate the threat.

Tech Optimizer

March 11, 2026

Malformed ZIP Files Allows Attackers to Bypass Antivirus and EDR Detections

A vulnerability identified as CVE-2026-0866 allows malicious actors to exploit malformed ZIP headers to bypass antivirus and Endpoint Detection and Response (EDR) systems. This flaw occurs because most security solutions rely on metadata within ZIP archives to scan and process files. When the compression method field is altered, security scanners may fail to decompress the archive correctly, resulting in a false negative and leaving the malicious payload undetected. Attackers can then use a custom loader to access the embedded malicious data, circumventing standard extraction tools. Cisco has been confirmed as affected by this vulnerability, while nearly 30 other security vendors have not disclosed their status. The cybersecurity community is urged to evolve scanning methodologies, including not relying solely on declared metadata and implementing aggressive detection modes. Organizations should verify their antivirus and EDR solutions for vulnerability to CVE-2026-0866 and monitor for custom loaders.

Tech Optimizer

February 22, 2026

Researchers Discover First Android Malware Using Generative AI for Persistence

Security researchers have identified a new Android Trojan named PromptSpy that uses generative AI technology to enhance its persistence on compromised devices. Discovered by ESET researchers, PromptSpy leverages Google's Gemini AI model to analyze infected device screens and generate tailored instructions for embedding itself within recent apps lists. It includes a Virtual Network Computing (VNC) module that allows attackers full remote control over the device, enabling activities such as viewing the screen, performing actions remotely, capturing lock screen data, blocking uninstallation attempts, gathering device information, taking screenshots, and recording screen activity as video. The malware communicates with command-and-control servers using AES encryption and exploits Android Accessibility Services, making it difficult to remove. PromptSpy is distributed through a dedicated website and is financially motivated, adapting to various Android interfaces and operating system versions. ESET's analysis indicates that the malware is regionally targeted, with a focus on Argentina, and may have been developed in a Chinese-speaking environment. The same threat actor is believed to be responsible for both VNCSpy and PromptSpy.

AppWizard

February 19, 2026

New backdoor found in Android tablets targeting users in Russia, Germany and Japan

Researchers from Kaspersky have discovered an Android backdoor named Keenadu, embedded in the firmware of devices, allowing it to infect tablets before they reach consumers. This malware, affecting over 13,700 users globally, primarily targets advertising fraud by hijacking browser search engines, monitoring app installations, and generating fraudulent revenue. Tablets from various manufacturers, including Alldocube, have been found compromised, with the malware likely inserted during the firmware build stage through a compromised supply chain. Keenadu has multiple variants, some hidden in applications, and employs evasion tactics based on device language settings and time zones. It cannot be removed using standard Android security tools, and users are advised to install clean firmware or replace their devices entirely.

Tech Optimizer

February 11, 2026

Hackers Used Hugging Face to Distribute Android Banking Trojans

Cybersecurity researchers have identified a malware campaign that exploited Hugging Face's AI infrastructure to distribute Android banking trojans. The attackers used a deceptive app called TrustBastion, which tricked users into installing what appeared to be legitimate security software. Upon installation, the app redirected users to an encrypted endpoint that linked to Hugging Face repositories, allowing the malware to evade traditional security measures. The campaign generated new malware variants every 15 minutes, resulting in over 6,000 commits in about 29 days. It infected thousands of victims globally, particularly in regions with high smartphone banking usage but lower mobile security awareness. The operation is believed to be linked to an established cybercriminal group. Security experts warn that this incident highlights vulnerabilities in trusted platforms and calls for improved security measures, including behavioral analysis systems and verification of application authenticity. The incident has also sparked discussions about the need for enhanced security protocols for AI platforms.

Tech Optimizer

January 29, 2026

Top antivirus hacked to push out a malicious update – find out if you’re affected

Recent reports indicate that the antivirus program eScan experienced a security breach, leading MicroWorld Technologies to conduct an internal investigation. A threat actor exploited compromised update servers to distribute malware to users who downloaded updates during a two-hour window on January 20, 2026. The exact number of affected users is unknown, but the company has isolated the compromised infrastructure and refreshed credentials while assisting impacted users. The eScan product itself was not altered, and the victims were limited to a specific regional cluster. The malware, identified as CONSCTLX, operates as a backdoor and downloader, allowing attackers to maintain access and execute commands on infected devices. The identity of the attackers is unknown, but North Korean cybercriminals previously exploited eScan's update mechanism in 2024. MicroWorld Technologies has provided support to millions of customers but has not disclosed the total number of eScan users.

Tech Optimizer

December 30, 2025

Hackers Advertised VOID ‘AV Killer’ with Kernel-level Termination Claims

A new threat actor named Crypt4You is promoting a tool called VOID KILLER on underground forums and dark web marketplaces. VOID KILLER is designed as a kernel-level antivirus and endpoint detection response process killer, specifically engineered to bypass existing security defenses. It targets the core of operating systems to dismantle protective barriers, posing a significant challenge to contemporary defensive architectures. VOID KILLER can terminate Windows Defender and around fifty consumer-grade antivirus solutions without detection, utilizing polymorphic build techniques to evade signature-based detection systems. It features automatic User Account Control (UAC) bypass mechanisms and can inject any executable file, making it compatible with various malware families. Custom builds of VOID KILLER are priced at three hundred dollars, and payment is accepted in cryptocurrencies. Organizations using Windows Defender, consumer antivirus software, and advanced EDR solutions face increased risk exposure due to this tool.

Tech Optimizer

December 28, 2025

Threat Actors Advertised NtKiller Malware on Dark Web Claiming Terminate Antivirus and EDR Bypass

A malicious entity named AlphaGhoul has introduced a tool called NtKiller, designed to disable antivirus software and endpoint detection systems, posing a threat to organizations using traditional security measures. NtKiller was advertised on an underground forum, claiming to allow attackers to operate undetected while executing malware. It reportedly circumvents security programs like Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro, and can bypass enterprise-grade Endpoint Detection and Response solutions in aggressive modes. Analysts from KrakenLabs noted that NtKiller uses early-boot persistence mechanisms to evade detection and operates on a modular pricing structure, with core functionality available for [openai_gpt model="gpt-4o-mini" prompt="Summarize the content and extract only the fact described in the text bellow. The summary shall NOT include a title, introduction and conclusion. Text: A malicious entity known as AlphaGhoul has recently surfaced within the cybercriminal underworld, promoting a tool dubbed NtKiller. This tool is engineered to discreetly disable antivirus software and endpoint detection systems, posing a new threat to organizations that rely on traditional security measures. NtKiller was unveiled on an underground forum frequented by individuals seeking to buy and sell hacking services. The advertisement claims that this tool enables attackers to operate undetected while executing their malware on compromised machines. The introduction of NtKiller signifies a formidable challenge for businesses that depend on established security solutions. According to the threat actor, the tool is capable of circumventing several widely-used security programs, including Microsoft Defender, ESET, Kaspersky, Bitdefender, and Trend Micro. Alarmingly, it is also said to bypass enterprise-grade Endpoint Detection and Response (EDR) solutions when utilized in aggressive modes. Analysts from KrakenLabs have observed that NtKiller employs early-boot persistence mechanisms, allowing it to remain concealed and evade detection by security teams once activated. This stealthy approach complicates efforts to identify and eliminate the malware. Further investigation by KrakenLabs revealed that NtKiller operates on a modular pricing structure. The core functionality is available for 0, with additional features such as rootkit capability and User Account Control (UAC) bypass each priced at an extra 0. This pricing model indicates that the tool has been meticulously crafted for commercial distribution within the cybercriminal ecosystem. Beyond merely terminating processes, NtKiller is purported to support advanced evasion techniques, including HVCI disabling, VBS manipulation, and memory integrity circumvention. Technical capabilities The technical features attributed to NtKiller render it particularly perilous in the hands of adept attackers. The tool's early-boot persistence mechanism allows it to embed itself during system startup, prior to the activation of many security monitoring systems. This timing advantage facilitates the execution of malicious payloads in an environment where detection capabilities are significantly diminished. Moreover, the anti-debugging and anti-analysis protections embedded within NtKiller hinder researchers and automated tools from scrutinizing the malware's behavior, resulting in a substantial knowledge gap regarding its true capabilities versus its promotional claims. Another critical feature is the silent UAC bypass option, which enables malware to acquire elevated system privileges without triggering standard Windows prompts that could alert users to suspicious activities. When combined with rootkit functionality, this allows attackers to maintain persistent access to compromised systems while remaining undetected by conventional security measures. It is essential to highlight that these capabilities have yet to be independently verified by third-party researchers, leaving the actual effectiveness of NtKiller uncertain. Organizations are urged to remain vigilant and ensure their security tools incorporate behavioral detection mechanisms that extend beyond signature-based identification to effectively combat such emerging threats. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google." max_tokens="3500" temperature="0.3" top_p="1.0" best_of="1" presence_penalty="0.1" frequency_penalty="frequency_penalty"] and additional features priced at 0 each. The tool supports advanced evasion techniques, including HVCI disabling, VBS manipulation, and memory integrity circumvention. Its silent User Account Control bypass option allows malware to gain elevated privileges without alerting users. The effectiveness of NtKiller's capabilities has not been independently verified, prompting organizations to enhance their security measures beyond signature-based detection.