Mirax Trojan Hijacks Android Devices for Proxy Network

Meet Mirax, a sneaky new Android banking trojan that's not only stealing credentials, but also hijacking devices to create a powerful proxy network - putting European users at risk. This emerging malware is a triple threat, combining a malware-as-a-service model, remote access capabilities, and residential proxies to wreak havoc…

https://osintsights.com/mirax-trojan-hijacks-android-devices-for-proxy-network?utm_source=mastodon&utm_medium=social

#AndroidBankingTrojan #EmergingThreats #Malwareasaservice #ResidentialProxies #Maas

💬 Telegram plays an important role in many underground businesses. Threat actors commonly stand up channels to market and support malicious activities such as malware-as-a-service (MaaS) subscriptions. While investigating ScreenConnect servers, a remote access support tool commonly abused by threat actors, we found an interesting business that we had never seen before. This actor used telegram as a storefront and support channel for an underground Remote Access Toolkit Online (RATO) platform. Technically RATO is a service that bundles cPanel and ScreenConnect technology to help its cyber criminal customers remotely access victim machines and manage scams, phishing, and malware (e.g. Latrodectus).

🐀 🔴 We discovered several servers that matched a ScreenConnect signature but these instances did not serve the typical ScreenConnect web content. Instead, their service is called "RATO PLATFORM" and the portal page shows the slogan "Can't catch the RAT__". We've found several telegram channels that promote services named "RATO", use the rat head logo (see attached image), or the domain rato[.]to. Based on their telegram chat content, it's clear their business model is focused on enabling cybercrime.

@rato_support
@ratofaqs
@rato_backup
@rato_hosting
@Rato2_bot

Consistent with RATO’s “BulletProof & Anti-Red Hosting” feature, we saw many RATO instances on ASNs with a high concentration of malicious activity (e.g., AS202412). Additionally, RATO infrastructure shows strong ties to Indonesia including Indonesian IP addresses in passive DNS and domains within the same cloudflare account used for serving online gambling to Indonesian-speaking users. Collectively, RATO and its customers operate a large number of domains. Here are some examples:

asakusubinitohas[.]com
bmw320ikaka[.]co
cpusx[.]com
newoneazu[.]com
ratmail[.]pro
rato[.]page
rato[.]to
ratodemo[.]pro
sesrecipt[.]com
silk-gen[.]com
sunostart[.]com
viewyourstatementonline[.]com

#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel #scam #phishing #malware #maas #telegram #indonesia #screenconnect #latrodectus #rat #rmm #remotemonitoringmanagement #downloader #spam #rato

Stealer Campaign Impacting SLTT macOS Users

MacSync Stealer is a macOS infostealer operating as Malware-as-a-Service (MaaS), distributed through SEO poisoning and fake ClickFix CAPTCHAs. The campaign has evolved through three iterations since November 2025, shifting from fake download sites to malicious ChatGPT conversations and finally to sophisticated shell-based loaders with dynamic AppleScript payloads. Threat actors use Google-sponsored search results to redirect victims to fake CAPTCHA pages that trick users into executing malicious terminal commands. The stealer targets browser credentials, cryptocurrency wallets, SSH keys, cloud provider credentials, and Keychain data. A critical capability includes trojanizing Ledger hardware wallet applications to capture seed phrases. The February 2026 campaign generated over 18,000 clicks in three days, with Russian-language comments suggesting operators work within a Russian-speaking ecosystem. The malware employs API key-gated C2 infrastructure and in-memory execution for evasion.

Pulse ID: 69d7ed2e323d7edb856fa161
Pulse Link: https://otx.alienvault.com/pulse/69d7ed2e323d7edb856fa161
Pulse Author: AlienVault
Created: 2026-04-09 18:17:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CAPTCHA #ChatGPT #Cloud #CyberSecurity #Edge #Google #InfoSec #InfoStealer #MaaS #Mac #MacOS #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #Russia #SEOPoisoning #SSH #Trojan #bot #cryptocurrency #AlienVault

Kaspersky Uncovers CrystalX RAT with Extensive Spyware and Stealer Capabilities

Meet CrystalX, a sinister new remote-access tool that's being sold as a ready-made menace, packing an alarming combination of spyware, stealer, and prankware capabilities that put your digital security at risk. This malicious toolkit is the latest threat to watch out for, and Kaspersky researchers are sounding the alarm.

https://osintsights.com/kaspersky-uncovers-crystalx-rat-with-extensive-spyware-and-stealer-capabilities

#Crystalx #RemoteAccessTool #Rat #Maas #Spyware

🚨 #Miolab Stealer is an advanced #MaaS threat targeting Apple devices.

🔐 It uses fake system prompts and native macOS tools to steal credentials and business-sensitive files quietly.

Get actionable insights and speed up triage: https://any.run/malware-trends/miolab/?utm_source=mastodon&utm_medium=post&utm_campaign=miolab&utm_term=060426&utm_content=linktomtt

#cybersecurity #infosec

A laughing RAT: CrystalX combines spyware; stealer; and prankware features

In March 2026, a new MaaS active campaign was discovered promoting previously unknown malware in private Telegram chats. The Trojan features an extensive arsenal of capabilities. On the panel provided to third‑party actors, in addition to the standard features of RAT‑like malware, a stealer, keylogger, clipper, and spyware are also available.

Pulse ID: 69ccba2f8538ade72d6e71e6
Pulse Link: https://otx.alienvault.com/pulse/69ccba2f8538ade72d6e71e6
Pulse Author: AlienVault
Created: 2026-04-01 06:24:47

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #KeyLogger #MaaS #Malware #OTX #OpenThreatExchange #RAT #SpyWare #Telegram #Trojan #bot #AlienVault

https://companydata.tsujigawa.com/press-20260328-002/

2026年3月27日（金）、岐阜県郡上市役所防災センターにて、医療MaaS車両「MedaaS（メディアース）」の納車式典が執り行われました。本車両は、深刻な医師・看護師不足や高齢化、山間地域における医療アクセスの課題を抱える郡上市において、患者のもとへ医療を届ける「動く診察室」として導入されたものです。

■プレスリリース配信元-株式会社M-aid
https://companydata.tsujigawa.com/company/1180001119077/

#MaaS #MedaaS #メディアース #プレスリリース #PressRelease #企業情報

Один timestamp, один round-robin, один плавающий список tools: 7 анти-паттернов, которые убивают префикс кэша LLM

Кэширование включено, а cached_tokens всё равно не растут? Часто проблема не в модели и не в провайдере. Hit rate обычно режут совсем другие вещи: timestamp в начале запроса, плавающий порядок tools, разные реплики, RAG с нестабильным порядком чанков и слишком короткая жизнь KV-кэша. В статье разбираю 7 типовых анти-паттернов, которые убивают prefix_cache_hit в проде.

https://habr.com/ru/companies/bitrix/articles/1016734/

#prefix_cache #искусственный_интеллект #vllm #openai #anthropic #maas #selfhosted #promptengineering #contextengineering #agents