trojan Archives

AppWizard

June 8, 2026

Pirated PC games are delivering password-stealing malware

A surge in Windows malware campaigns has been identified, with malicious software hidden in pirated PC games and modified installers for popular franchises like Far Cry, Need for Speed, FIFA, and Assassin’s Creed. Over 400,000 devices globally have been affected, with around 30,000 cases in the United States. The malware, known as the "RenEngine loader," is disguised as a legitimate game launcher and infects systems when users download cracked games. It aims to deploy an infostealer called ARC, which can capture sensitive information such as passwords and cryptocurrency wallets, and may also install other harmful payloads like the Rhadamanthys stealer and Async Remote Access Trojan (RAT). Users often remain unaware of their infection until significant damage occurs. Recommendations for safety include avoiding unofficial downloads, using up-to-date anti-malware protection, and regularly updating software.

BetaBeacon

June 3, 2026

Fake GTA 6, real malware: the new scam targeting Windows and Android

Attackers create fake GTA 6 beta scams that install trojans on machines, stealing credentials and mining cryptocurrency. Gamers' anticipation for highly anticipated games makes them vulnerable to these scams. NordVPN's antivirus can intercept these files and protect users from phishing sites impersonating gaming platforms. NordVPN's Premium plan includes VPN and antivirus for .85/month. NordVPN's antivirus works well on Windows and macOS, but is limited on mobile versions. The plan comes with a 30-day money-back guarantee.

Winsage

June 2, 2026

PHANTOMPULSE RAT Uses UAC Bypass to Hijack Windows Systems

PHANTOMPULSE is a remote access trojan (RAT) used as a final payload in multi-stage attacks targeting Windows environments. It employs advanced post-exploitation techniques, including process injection, User Account Control (UAC) bypass, and a decentralized blockchain-based command-and-control (C2) mechanism. The malware utilizes three process injection techniques: module stomping, manual DLL mapping, and debug-driven execution. It avoids detection by using direct system calls instead of standard Windows APIs and incorporates a hardware breakpoint mechanism to disable security protections like AMSI and ETW. PHANTOMPULSE retrieves its C2 server address from Ethereum-based transaction data but has a vulnerability that allows defenders to hijack communication. It achieves persistence through scheduled tasks and supports self-healing capabilities. Privilege escalation is done using the "schuac" UAC bypass technique. The malware conducts system reconnaissance focusing on cryptocurrency wallets and messaging apps but does not directly steal credentials. It shows signs of AI-assisted development and shares tactics with DPRK-aligned threat groups, particularly in targeting cryptocurrency platforms.

Winsage

June 2, 2026

New PHANTOMPULSE RAT Campaign Uses UAC Bypass in Windows Attacks

The REF6598 intrusion set has revealed a Remote Access Trojan (RAT) named PHANTOMPULSE, which is distributed via malicious Obsidian plugins. It uses advanced evasion techniques, including a blockchain-based command and control (C2) channel and a public User Account Control (UAC) bypass to infiltrate Windows systems. The malware disables security measures like the Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP) through a hardware-breakpoint technique, allowing it to avoid detection by signature-based memory scanners. PHANTOMPULSE hides its core files in encrypted registry blobs and creates scheduled tasks that appear as .NET Framework updates. Its decentralized C2 framework queries public blockchains for operational data, but it lacks sender authentication, which can be exploited by defenders. The malware inventories the system for antivirus software and targets high-value applications. It employs a UAC bypass technique called “schuac” to gain elevated permissions. Analysts attribute this campaign to DPRK-aligned threat actors, particularly the BlueNoroff group, due to its focus on cryptocurrency wallets and blockchain exploitation. Defenders can identify new infrastructure by searching blockchain ledgers for a specific hex signature associated with the malware's C2 encryption routine.

AppWizard

May 28, 2026

Fake ‘Cockroach Janta Party’ Android app flagged as critical malware threat, report warns

A cybersecurity report released on May 22, 2026, identifies a counterfeit Android application posing as the official app of the Cockroach Janta Party as a significant malware threat. The malicious app, known as Cockroach.Janta.Party, functions as a Remote Access Trojan (RAT) and can infiltrate Android devices, steal sensitive information, intercept communications, and control infected smartphones. The genuine Cockroach Janta Party has no affiliation with this app and is a victim of brand impersonation. The app is distributed through WhatsApp, Telegram, and misleading websites, particularly a rogue domain, cockroachjantaparty[.]org. It targets Android devices running versions 8.0 to 14 and requests elevated permissions, including access to camera, SMS, call logs, and contacts, while misusing the Android Accessibility Service to read on-screen content and grant itself additional permissions. The app contains multiple malicious modules for data exfiltration and uses a Command and Control infrastructure based on the Telegram Bot API. Users are advised to uninstall the app, disable Accessibility permissions, reset banking credentials, enable two-factor authentication, and conduct a full mobile security scan. The legitimate Cockroach Janta Party is encouraged to issue a formal clarification regarding the impersonation.

AppWizard

May 21, 2026

This Free Steam Game Tricks Players Into Downloading Malware, Users Beware

Steam users are warned about the risks of downloading free games, particularly a compromised title called Beyond The Dark, which was a clone of the horror game Phasmophobia. This game contained malware named UnityPlayer.dll that activated upon launch, targeting saved passwords and cryptocurrency extensions in browsers. Users experienced instability and crashes while the malware operated in the background. It is recommended that those who downloaded the game delete associated files and perform a system scan, changing any potentially compromised passwords. Valve has removed Beyond The Dark from its storefront to prevent further downloads. Users are advised to scrutinize game descriptions, review feedback, and maintain reliable antivirus software to protect their personal information.

AppWizard

May 17, 2026

Demigod review (2009)

Demigod, reviewed in PC Gamer issue #201 (June 2009), features a unique art direction characterized by a "Video Game Beige" color palette. The game allows players to utilize Generals to command minions in chaotic battles, though the visuals can sometimes obscure unit status. It includes four game types, with Conquest and Fortress modes requiring direct assaults on turrets, which can lead to drawn-out matches. Players can upgrade their minions at the Citadel, enhancing their capabilities. The game incorporates RPG elements, allowing players to invest in team benefits or personal enhancements through in-game currency. However, it has minor flaws, including pathfinding issues and inconsistent netcode, affecting online play. Despite these issues, players find enjoyment in the blend of strategy and RPG mechanics.

AppWizard

May 12, 2026

This devious Android malware has returned disguised as TikTok or streaming apps — and is now using blockchain to remain undetected

Researchers at ThreatFabric have identified a new variant of the TrickMo banking trojan, named TrickMo.C, targeting Android users in Europe since January 2026. TrickMo.C disguises itself as popular applications like TikTok and streaming services, using tactics such as phishing overlays to harvest login credentials and sensitive information. It can log keystrokes, record screens, livestream content, intercept SMS messages, suppress OTP notifications, modify the clipboard, filter notifications, and capture screenshots. The primary targets are in France, Italy, and Austria, allowing unauthorized access to bank accounts and cryptocurrency wallets. TrickMo.C distinguishes itself by using the TON network for communication, which enhances anonymity and complicates detection efforts.

AppWizard

May 11, 2026

New TrickMo Variant: Device Take Over malware targeting Banking, Fintech, Wallet & Auth apps

Modern Android banking malware is evolving with architectural enhancements for increased stealth, resilience, and operational flexibility. In early 2026, a new variant of the TrickMo Android banking trojan was identified, actively targeting banking and wallet users in France, Italy, and Austria. This variant has replaced its predecessor in ongoing campaigns and has transitioned its command-and-control traffic to The Open Network (TON). Key features of the new TrickMo variant include: - The primary command-and-control channel now operates over TON, utilizing .adnl endpoints through an embedded local TON proxy. - It employs a runtime-loaded APK (dex.module) with enhanced functionalities, including reconnaissance, SSH tunneling, and SOCKS5 proxying, allowing infected devices to act as network pivots. - TrickMo is classified as Device Take Over (DTO) malware, targeting banking, fintech, wallet, and authenticator applications on Android devices. - Operators gain control over infected devices through accessibility-service permissions, enabling capabilities such as credential phishing, keylogging, screen recording, remote control, and SMS interception. The new variant features a modular architecture with a host APK functioning as a launcher and persistence layer, while offensive capabilities are delivered through the dynamically loaded dex.module. Significant enhancements include network reconnaissance commands (curl, dnslookup, ping, telnet, traceroute) and socket-level tunneling via an embedded SSH client. Indicators of compromise include specific SHA-256 hashes and package names associated with TrickMo dropper applications and host applications. The malware retains unused permissions for NFC capabilities, suggesting a strategic approach to device filtering.

Winsage

May 10, 2026

Official JDownloader site served malware to Windows and Linux users between May 6 and May 7

Between May 6 and May 7, 2026, the official JDownloader website was compromised in a supply chain attack, leading to the distribution of malicious installers for Windows and Linux users. Attackers altered download links, redirecting users to harmful files, specifically targeting the Windows “Alternative Installer” and the Linux shell installer. A Reddit user reported the issue after Microsoft Defender flagged the installers as malicious, noting unusual developer names instead of the expected publisher, AppWork GmbH. JDownloader developers confirmed the breach and temporarily took down the website for investigation, revealing that an unpatched vulnerability in the content management system allowed the attackers to modify download pages. The genuine installer packages were not altered, and the malicious links were removed. The website was restored on May 8–9, 2026, with verified clean installer links. Indicators of compromise included specific hashes and compromised URLs related to the attack.