A stealthy RAT burrowing deep into Android devices

BTMOB is an Android remote access trojan that evolved from SpySolr malware and poses significant threats beyond traditional banking trojans. The malware combines phishing-led delivery with an APK builder interface that enables rapid payload generation without coding skills. Distributed through fake app stores impersonating streaming services, cryptocurrency platforms, and government agencies, BTMOB abuses Android Accessibility Services to gain elevated permissions. Marketed as malware-as-a-service with a reported $5,000 lifetime license, it provides adversaries with capabilities to exfiltrate sensitive data, capture screenshots, record device activity, and establish remote control. The tool's customizable phishing lures have been adapted for specific regions, including campaigns impersonating Argentine tax authorities, making it a rapidly evolving threat with global reach.

Pulse ID: 6a1cc51d7c8f832f819a0a43
Pulse Link: https://otx.alienvault.com/pulse/6a1cc51d7c8f832f819a0a43
Pulse Author: AlienVault
Created: 2026-05-31 23:32:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APK #Android #Bank #BankingTrojan #CyberSecurity #Government #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #Phishing #RAT #RemoteAccessTrojan #Trojan #bot #cryptocurrency #AlienVault

Novo trojan BTMOB ataca equipamentos móveis e esvazia contas bancárias
🔗 https://tugatech.com.pt/t84480-novo-trojan-btmob-ataca-equipamentos-moveis-e-esvazia-contas-bancarias

#trojan 

#BTMOB #Android #malware service generates custom #phishing payloads

https://www.bleepingcomputer.com/news/security/btmob-android-malware-service-generates-custom-phishing-payloads/

#cybersecurity #trojan

A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

JINX-0164, a financially motivated threat actor active since mid-2025, has been conducting sophisticated campaigns against cryptocurrency organizations. The actor employs LinkedIn-based social engineering, posing as recruiters or business partners to deliver custom macOS malware including AUDIOFIX (a Python-based infostealer and RAT) and MINIRAT (a lightweight Go backdoor). Their operations focus on compromising developer endpoints to steal cryptocurrency wallet credentials, cloud secrets, and GitHub tokens. The attackers then pivot to CI/CD infrastructure, injecting malicious code into repositories to enable lateral movement. In April 2026, they executed a supply chain attack by trojanizing the npm package @velora-dex/sdk. The group masks activity using VPN services and demonstrates advanced capabilities including credential harvesting from password managers, browser extensions, and development tools.

Pulse ID: 6a181e409d755171f4ac356c
Pulse Link: https://otx.alienvault.com/pulse/6a181e409d755171f4ac356c
Pulse Author: AlienVault
Created: 2026-05-28 10:51:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Cloud #CredentialHarvesting #CyberSecurity #Endpoint #GitHub #InfoSec #InfoStealer #LinkedIn #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #Password #Python #RAT #SocialEngineering #SupplyChain #Trojan #VPN #Word #bot #cryptocurrency #AlienVault

Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet

Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.

Pulse ID: 6a15ba2632bd7e246e9c1250
Pulse Link: https://otx.alienvault.com/pulse/6a15ba2632bd7e246e9c1250
Pulse Author: AlienVault
Created: 2026-05-26 15:20:06

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #Browser #CandC #ClearFake #CyberSecurity #EtherHiding #InfoSec #InfoStealer #Java #JavaScript #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

#Ricoh Scanner-Datei #SsUCommon.dll wird vom OnlineUpdater in #TrendMicro als "#Trojan.Win32.ZYX.USBLEQ26" gekennzeichnet. Noch jemand betroffen?

https://borncity.com/blog/2026/05/27/ricoh-ssucommon-dll-wird-als-virus-trojaner-geflaggt/

RemotePE: The Lazarus RAT that lives in memory

A sophisticated memory-only toolset used by a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations consists of three malware families forming a chain. DPAPILoader decrypts and loads RemotePELoader from disk using Windows Data Protection API. RemotePELoader beacons to command-and-control servers and retrieves RemotePE, a fully-fledged remote access trojan executed entirely in memory without filesystem artifacts. The toolset employs environmental keying via DPAPI, EDR evasion through HellsGate technique and ETW patching, actor-in-the-loop payload delivery, and shared hosting infrastructure on Namecheap. RemotePE features comprehensive RAT capabilities including file operations, process management, command execution, and a plugin system for dynamically loading additional payloads, while maintaining persistence through masquerading as legitimate Windows services.

Pulse ID: 6a1447f25db6bc082d5093cb
Pulse Link: https://otx.alienvault.com/pulse/6a1447f25db6bc082d5093cb
Pulse Author: AlienVault
Created: 2026-05-25 13:00:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #EDR #Edge #InfoSec #Korea #Lazarus #Malware #Namecheap #NorthKorea #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #Trojan #Windows #bot #cryptocurrency #AlienVault

Android Trojan Abuses Commercial Rooting Tool and Steals Private Information

Rootnik is an Android trojan that exploits vulnerabilities in Android 4.3 and earlier by weaponizing a Chinese commercial rooting tool called Root Assistant. The malicious operation spreads through repackaged legitimate applications distributed globally, affecting users primarily in the United States, Malaysia, Thailand, Lebanon and Taiwan. After installation, Rootnik gains root access using stolen exploits, installs four persistent APK files to the system partition, and performs aggressive app promotion campaigns. The trojan silently installs and uninstalls applications, downloads and executes code remotely, and harvests sensitive data including WiFi passwords, location information, device identifiers, and MAC addresses. The malware maintains command and control infrastructure through multiple domains and generates revenue through aggressive advertising that interrupts user activity regardless of the current application.

Pulse ID: 6a123f4adef80b0c4d8ccd35
Pulse Link: https://otx.alienvault.com/pulse/6a123f4adef80b0c4d8ccd35
Pulse Author: AlienVault
Created: 2026-05-23 23:59:06

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APK #Android #Chinese #CyberSecurity #InfoSec #Mac #Malware #OTX #OpenThreatExchange #Password #Passwords #RAT #Thailand #Trojan #UnitedStates #Word #bot #AlienVault

Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

Unit 42 researchers identified six new remote access Trojan variants deployed by Iran-nexus APT group Screening Serpens between February and April 2026, coinciding with a regional conflict starting February 28, 2026. The group targeted entities in the U.S., Israel, UAE, and other Middle Eastern locations, primarily focusing on technology sector professionals through highly tailored social engineering using personalized recruitment lures. Two new malware families, MiniUpdate and MiniJunk V2, were discovered featuring advanced techniques including AppDomainManager hijacking that manipulates .NET application initialization to disable security mechanisms. The campaigns demonstrated increased technical capabilities and operational resilience, with each variant using dedicated C2 infrastructure hosted on Azure. The attacks leveraged DLL sideloading, scheduled tasks for persistence, and sophisticated evasion techniques to maintain long-term access for espionage purposes.

Pulse ID: 6a109360ffcb2c8229a150c7
Pulse Link: https://otx.alienvault.com/pulse/6a109360ffcb2c8229a150c7
Pulse Author: AlienVault
Created: 2026-05-22 17:33:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #CyberSecurity #Espionage #InfoSec #Iran #Israel #Malware #MiddleEast #NET #OTX #OpenThreatExchange #RAT #RemoteAccessTrojan #SMS #SideLoading #SocialEngineering #Trojan #UAE #Unit42 #bot #AlienVault

SilverFox APT Distributes ValleyRAT Using Fake Microsoft Teams

ValleyRAT malware is distributed through fake Microsoft Teams download sites using trojanized installers and DLL sideloading techniques. The campaign uses multi-stage execution, persistence mechanisms and encrypted C2 communication to evade detection and conduct data theft activities on compromised systems.

Pulse ID: 6a10c2d0bebcbfb2b4e42090
Pulse Link: https://otx.alienvault.com/pulse/6a10c2d0bebcbfb2b4e42090
Pulse Author: cryptocti
Created: 2026-05-22 20:55:44

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #DataTheft #InfoSec #Malware #Microsoft #MicrosoftTeams #OTX #OpenThreatExchange #RAT #SMS #SideLoading #Trojan #bot #cryptocti