StepDrainer MaaS Platform Targeting Multi-Chain Crypto Wallets and NFT Assets

StepDrainer is a Malware-as-a-Service (MaaS) platform engineered to steal digital assets from cryptocurrency wallets, including fungible tokens and high-value NFT collections. The malware supports more than 20 blockchain networks and incorporates multiple draining techniques, particularly abusing ERC-20 token permissions and NFT approval mechanisms.

The platform includes automated asset transfer capabilities, compatibility with widely used mobile wallets, and encrypted logging via Telegram channels for attacker monitoring. StepDrainer is commercially distributed within cybercriminal ecosystems, with pricing models ranging from approximately $750 for full source code access to $150 for a shared version that imposes a 20% commission on successful thefts.

Pulse ID: 69e734af1069d427edf013a9
Pulse Link: https://otx.alienvault.com/pulse/69e734af1069d427edf013a9
Pulse Author: AlienVault
Created: 2026-04-21 08:26:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #InfoSec #MaaS #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #RCE #SMS #Telegram #bot #cryptocurrency #AlienVault

Mirax RAT Exploits Meta Apps to Infiltrate Android Devices

Beware of fake ads on Meta apps - a sneaky new malware called Mirax RAT is using them to secretly take control of Android devices, with a focus on Spanish-speaking nations. This remote access Trojan is part of a growing Malware-as-a-Service economy that's putting unsuspecting users at risk.

https://osintsights.com/mirax-rat-exploits-meta-apps-to-infiltrate-android-devices?utm_source=mastodon&utm_medium=social

#MiraxRat #Malwareasaservice #MetaApps #AndroidMalware #RemoteAccessTrojan

108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure

A coordinated campaign of 108 malicious Chrome extensions operated through shared command-and-control infrastructure at cloudapi[.]stream has been identified, collectively accounting for approximately 20,000 installations. The campaign spans multiple threat categories: 54 extensions steal Google account identities via OAuth2, one extension actively exfiltrates Telegram Web sessions every 15 seconds, and 45 extensions contain a universal backdoor enabling arbitrary URL execution on browser startup. Published under five distinct publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt), these extensions masquerade as legitimate tools including Telegram sidebar clients, slot games, YouTube and TikTok enhancers, and translation utilities. All extensions route stolen credentials, user identities, and browsing data to servers controlled by the same operator, with infrastructure confirming a Malware-as-a-Service business model.

Pulse ID: 69de5f631a2f4bca81392ccd
Pulse Link: https://otx.alienvault.com/pulse/69de5f631a2f4bca81392ccd
Pulse Author: AlienVault
Created: 2026-04-14 15:38:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Chrome #ChromeExtension #Cloud #CyberSecurity #Google #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #Telegram #Troll #YouTube #bot #AlienVault

Mirax Trojan Hijacks Android Devices for Proxy Network

Meet Mirax, a sneaky new Android banking trojan that's not only stealing credentials, but also hijacking devices to create a powerful proxy network - putting European users at risk. This emerging malware is a triple threat, combining a malware-as-a-service model, remote access capabilities, and residential proxies to wreak havoc…

https://osintsights.com/mirax-trojan-hijacks-android-devices-for-proxy-network?utm_source=mastodon&utm_medium=social

#AndroidBankingTrojan #EmergingThreats #Malwareasaservice #ResidentialProxies #Maas

A new Android RAT turning infected devices into potential residential proxy nodes

Mirax is a newly identified Android Remote Access Trojan operating as Malware-as-a-Service, actively targeting European users, particularly in Spanish-speaking regions. Distributed through Meta advertisements and GitHub-hosted droppers, the malware has reached over 200,000 accounts. It employs sophisticated techniques including dynamically fetched HTML overlays, comprehensive keylogging, and remote device control capabilities. A distinctive feature is its integration of SOCKS5-based residential proxy functionality, transforming infected devices into proxy nodes that enable attackers to route traffic through legitimate residential IP addresses. This capability allows operators to bypass geolocation restrictions and evade fraud detection systems while conducting account takeovers and transaction fraud. The malware uses commercial-grade obfuscation through Golden Encryption and establishes persistence through Accessibility Service abuse.

Pulse ID: 69dcfd5f0b3e3ab70a58831d
Pulse Link: https://otx.alienvault.com/pulse/69dcfd5f0b3e3ab70a58831d
Pulse Author: AlienVault
Created: 2026-04-13 14:27:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #CyberSecurity #Encryption #Europe #GitHub #HTML #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #Proxy #RAT #RemoteAccessTrojan #Trojan #bot #AlienVault

Stealer Campaign Impacting SLTT macOS Users

MacSync Stealer is a macOS infostealer operating as Malware-as-a-Service (MaaS), distributed through SEO poisoning and fake ClickFix CAPTCHAs. The campaign has evolved through three iterations since November 2025, shifting from fake download sites to malicious ChatGPT conversations and finally to sophisticated shell-based loaders with dynamic AppleScript payloads. Threat actors use Google-sponsored search results to redirect victims to fake CAPTCHA pages that trick users into executing malicious terminal commands. The stealer targets browser credentials, cryptocurrency wallets, SSH keys, cloud provider credentials, and Keychain data. A critical capability includes trojanizing Ledger hardware wallet applications to capture seed phrases. The February 2026 campaign generated over 18,000 clicks in three days, with Russian-language comments suggesting operators work within a Russian-speaking ecosystem. The malware employs API key-gated C2 infrastructure and in-memory execution for evasion.

Pulse ID: 69d7ed2e323d7edb856fa161
Pulse Link: https://otx.alienvault.com/pulse/69d7ed2e323d7edb856fa161
Pulse Author: AlienVault
Created: 2026-04-09 18:17:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CAPTCHA #ChatGPT #Cloud #CyberSecurity #Edge #Google #InfoSec #InfoStealer #MaaS #Mac #MacOS #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #Russia #SEOPoisoning #SSH #Trojan #bot #cryptocurrency #AlienVault

Phantom Footprints: Tracking GhostSocks Malware

GhostSocks is an emerging threat that turns compromised devices into residential proxy nodes, enabling attackers to evade detection. Originally marketed on Russian underground forums as Malware-as-a-Service, it has gained popularity due to its partnership with Lumma Stealer. Written in GoLang, GhostSocks uses SOCKS5 proxy protocol and TLS encryption to blend malicious traffic into normal network activity. It also incorporates backdoor functionality for running arbitrary commands and deploying additional payloads. Darktrace observed an increase in GhostSocks activity, detecting it alongside Lumma Stealer in customer networks. The malware's versatility in converting devices into proxy nodes while enabling covert network access illustrates how threat actors maximize the value of compromised infrastructure.

Pulse ID: 69cbf2e5f01a923f01d49ea8
Pulse Link: https://otx.alienvault.com/pulse/69cbf2e5f01a923f01d49ea8
Pulse Author: AlienVault
Created: 2026-03-31 16:14:29

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #Darktrace #Encryption #Golang #InfoSec #LummaStealer #Malware #MalwareAsAService #OTX #OpenThreatExchange #Proxy #RAT #Russia #TLS #bot #socks5 #AlienVault

Sophisticated macOS Infostealer known as MioLab

MioLab, also known as Nova, has surfaced as a highly sophisticated Malware-as-a-Service (MaaS) platform specifically targeting Apple users.

Pulse ID: 69c1af72ec1c62238c869b68
Pulse Link: https://otx.alienvault.com/pulse/69c1af72ec1c62238c869b68
Pulse Author: cryptocti
Created: 2026-03-23 21:24:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #InfoStealer #MaaS #Mac #MacOS #Malware #MalwareAsAService #OTX #OpenThreatExchange #bot #cryptocti