SmartRATBanking Trojan Delivered via ClickFixLures Using Typosquatted Bank Websites

Threat actors used an AI generated fake banking website and ClickFixsocial engineering lure to deliver the SmartRATbanking trojan

Pulse ID: 6a36411336633346d05ff88c
Pulse Link: https://otx.alienvault.com/pulse/6a36411336633346d05ff88c
Pulse Author: cryptocti
Created: 2026-06-20 07:28:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #BankingTrojan #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #SocialEngineering #Trojan #bot #cryptocti

ClickFix Campaign Generated Via AI Delivers SmartRAT

In March 2026, threat actors leveraged AI-powered website builders to create typosquatting domains impersonating a Brazilian bank. The campaign employed ClickFix techniques, presenting victims with fake CAPTCHA and BSOD screens to trick them into executing malicious PowerShell commands. This delivered SmartRAT, a PowerShell-based banking trojan with capabilities including encrypted C2 communications, remote control of screen/keyboard/mouse, credential theft through keylogging and banking overlays, and QR code interception for transaction fraud. The malware establishes persistence via scheduled tasks and Windows services, and targets Brazilian financial institutions, payment platforms, and cryptocurrency exchanges. The threat actors' C2 panel contained critical authentication flaws allowing client-side bypass, suggesting deployment without adequate security review.

Pulse ID: 6a32e5873cf59d36f41c77be
Pulse Link: https://otx.alienvault.com/pulse/6a32e5873cf59d36f41c77be
Pulse Author: AlienVault
Created: 2026-06-17 18:20:54

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Bank #BankingTrojan #Brazil #CAPTCHA #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Trojan #TypoSquatting #Windows #bot #cryptocurrency #AlienVault

A New Android Banking Trojan Capable of Full Device Takeover

Rokarolla is a newly discovered Android banking trojan targeting 217 banking and cryptocurrency apps using 137 remote commands, enabling credential theft, SMS interception, clipboard hijacking, screen surveillance and complete device takeover by remote operators.

Pulse ID: 6a31e2e365dfe98aa223a2d0
Pulse Link: https://otx.alienvault.com/pulse/6a31e2e365dfe98aa223a2d0
Pulse Author: cryptocti
Created: 2026-06-16 23:57:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #Clipboard #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #RCE #SMS #Trojan #bot #cryptocurrency #cryptocti

Android Banker with Complete Device Takeover Capabilities

A newly identified Android banking trojan named Rokarolla has been discovered, distributed through malicious websites masquerading as popular applications like TikTok or Google Chrome. The malware targets 217 distinct cryptocurrency and banking applications using 137 sophisticated commands for device control. Capabilities include harvesting lock screen credentials, exfiltrating contact lists and SMS data, deploying keyloggers, blocking calls, creating fraudulent screen overlays, and disabling Google Play Protect. The infection begins with a dropper impersonating Google Play Protect that installs a secondary payload. Rokarolla communicates with C2 infrastructure via HTTPS, uses overlays to steal banking credentials and device unlock patterns, silently monitors WhatsApp contacts, hijacks SMS and calls, manipulates clipboard content for cryptocurrency theft, and employs snapshot-based screen surveillance. It maintains persistence by hiding its icon, muting device audio, and keeping screens active indefinitely.

Pulse ID: 6a315d684f0c09972ddea652
Pulse Link: https://otx.alienvault.com/pulse/6a315d684f0c09972ddea652
Pulse Author: AlienVault
Created: 2026-06-16 14:27:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #Bank #BankingTrojan #Chrome #Clipboard #CyberSecurity #Google #GooglePlay #HTTP #HTTPS #InfoSec #KeyLogger #Malware #OTX #OpenThreatExchange #RAT #SMS #Trojan #WhatsApp #bot #cryptocurrency #AlienVault

📰 New TCLBANKER Trojan Spreads via WhatsApp and Outlook, Targeting 59 Brazilian Financial Apps

🇧🇷 New Banking Trojan 'TCLBANKER' targets 59 Brazilian financial apps! The malware spreads like a worm via WhatsApp & Outlook, using DLL side-loading to evade detection. Stay vigilant! 💻 #Malware #BankingTrojan #Brazil #Cybersecurity

🌐 cyber[.]netsecops[.]io

🔗 https://cyber.netsecops.io/articles/new-tclbanker-trojan-targets-59-brazilian-financial-platforms-with-worm-lik…

📰 Grandoreiro Banking Trojan Resurges, Targeting Banks in Spain and Latin America

Grandoreiro banking trojan is back. 📈 New campaigns are targeting banks and customers in Spain and Latin America, using phishing and DLL side-loading to steal credentials with fake overlays. 🏦 #Grandoreiro #Malware #BankingTrojan #Phishing #Fintech

🌐 cyber[.]netsecops[.]io

🔗 https://cyber.netsecops.io/articles/grandoreiro-banking-malware-resurges-with-campaigns-in-europe-and-latin-am…

A stealthy RAT burrowing deep into Android devices

BTMOB is an Android remote access trojan that evolved from SpySolr malware and poses significant threats beyond traditional banking trojans. The malware combines phishing-led delivery with an APK builder interface that enables rapid payload generation without coding skills. Distributed through fake app stores impersonating streaming services, cryptocurrency platforms, and government agencies, BTMOB abuses Android Accessibility Services to gain elevated permissions. Marketed as malware-as-a-service with a reported $5,000 lifetime license, it provides adversaries with capabilities to exfiltrate sensitive data, capture screenshots, record device activity, and establish remote control. The tool's customizable phishing lures have been adapted for specific regions, including campaigns impersonating Argentine tax authorities, making it a rapidly evolving threat with global reach.

Pulse ID: 6a1cc51d7c8f832f819a0a43
Pulse Link: https://otx.alienvault.com/pulse/6a1cc51d7c8f832f819a0a43
Pulse Author: AlienVault
Created: 2026-05-31 23:32:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APK #Android #Bank #BankingTrojan #CyberSecurity #Government #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #Phishing #RAT #RemoteAccessTrojan #Trojan #bot #cryptocurrency #AlienVault

Banking Trojan Targets Crypto Firms with Sophisticated Attacks

A new banking Trojan, dubbed TCLBanker, is wreaking havoc on crypto and finance platforms, allowing hackers to remotely control infected systems and steal sensitive info. This sophisticated attack, linked to North Korea's notorious Lazarus Group, has already led to the largest crypto platform hack of 2026.

https://osintsights.com/banking-trojan-targets-crypto-firms-with-sophisticated-attacks?utm_source=mastodon&utm_medium=social

#Tclbanker #BankingTrojan #LazarusGroup #NorthKorea #CryptoFirms

TCLBanker is targeting Android users with banking trojan capabilities - stealing credentials, intercepting messages, and abusing trust at scale. Mobile is still prime territory. 📱💸 #BankingTrojan #AndroidSecurity

https://thehackernews.com/2026/05/tclbanker-banking-trojan-targets.html

Albiriox: il malware Android che svuota i conti correnti
#Albiriox #Android #App #BankingTrojan #CyberSecurity #Frode #GooglePlayProtect #MaaS #MalwareAndroid #Sicurezza #TechNews #Tecnologia #Trojan #Truffa

https://www.ceotech.it/albiriox-il-malware-android-che-svuota-i-conti-correnti/