TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms

Threat hunters have flagged a previously undocumented Brazilian banking trojan dubbed TCLBANKER that's capable of targeting 59 banking, fintech, and cryptocurrency platforms. The activity is being tracked by Elastic Security Labs under the moniker REF3076. The malware family is assessed to be a...

The SOC Files: Time to “Sapecar”. Unpacking a new Horabot campaign in Mexico

Introduction In this installment of our SOC Files series, we will walk you through a targeted campaign that our MDR team identified and hunted down a few months ago. It involves a threat known as Horabot , a bundle consisting of an infamous banking Trojan, an email spreader, and a notably complex...

BeatBanker: A dual‑mode Android Trojan

Recently, we uncovered BeatBanker, an Android‑based malware campaign targeting Brazil. It spreads primarily through phishing attacks via a website disguised as the Google Play Store. To achieve their goals, the malicious APKs carry multiple components, including a cryptocurrency miner and a banki...

Astaroth Banking Trojan Targets Brazilians via WhatsApp Messages

Researchers at Acronis have discovered a new campaign called Boto Cor-de-Rosa, where the Astaroth banking malware spreads like a worm through WhatsApp Web to steal contact lists and banking credentials...

Brazil Hit by Banking Trojan Spread via WhatsApp Worm and RelayNFC NFC Relay Fraud

The threat actor known as Water Saci is actively evolving its tactics, switching to a sophisticated, highly layered infection chain that uses HTML Application HTA files and PDFs to propagate via WhatsApp a worm that deploys a banking trojan in attacks targeting users in Brazil. The latest wave is...

New Sturnus Android Malware Reads WhatsApp, Telegram, Signal Chats via Accessibility Abuse

Sturnus, an advanced Android banking trojan, has been discovered by ThreatFabric. Learn how this malware bypasses end-to-end encryption on Signal and WhatsApp, steals bank credentials using fake screens, and executes fraudulent transactions...

New Eternidade Stealer Uses WhatsApp to Steal Banking Data

Trustwave SpiderLabs warns of Eternidade Stealer, a new banking trojan spreading via personalised WhatsApp messages. Find out how this malicious software bypasses security checks and deploys fake login screens for major banks and wallets...

Python-Based WhatsApp Worm Spreads Eternidade Stealer Across Brazilian Devices

Cybersecurity researchers have disclosed details of a new campaign that leverages a combination of social engineering and WhatsApp hijacking to distribute a Delphi-based banking trojan named Eternidade Stealer as part of attacks targeting users in Brazil. "It uses Internet Message Access Protocol...

Maverick: a new banking Trojan abusing WhatsApp in a mass-scale distribution

A malware campaign was recently detected in Brazil, distributing a malicious LNK file using WhatsApp. It targets mainly Brazilians and uses Portuguese-named URLs. To evade detection, the command-and-control C2 server verifies each download to ensure it originates from the malware itself. The whol...

Fake VPN and streaming app drops malware that drains your bank account

Security researchers are warning Android users to delete a fake VPN and streaming app that can let criminals take over their phones and drain their bank accounts. The app, Mobdro Pro IP TV + VPN, was discovered by researchers at Cleafy to be a malicious sideloaded app, not a legitimate VPN. Their...

Scam Facebook groups send malicious Android malware to seniors

An infostealer and banking Trojan rolled into one is making the rounds in Facebook groups aimed at "active seniors". Attackers used social engineering methods to lure targets into joining fake Facebook groups that appeared to promote travel and community activities—such as trips, dance classes, a...

77 malicious apps removed from Google Play Store

Google has removed 77 malicious apps from the Google Play Store. Before they were removed, researchers at ThreatLabz discovered the apps had been installed over 19 million times. One of the malware families discovered by the researchers is a banking Trojan known as Anatsa or TeaBot. This banking...

Android Trojan Crocodilus Now Active in 8 Countries, Targeting Banks and Crypto Wallets

A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America. The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis...

Mobile malware evolution in 2024

These statistics are based on detection alerts from Kaspersky products, collected from users who consented to provide statistical data to Kaspersky Security Network. The statistics for previous years may differ from earlier publications due to a data and methodology revision implemented in 2024...

New TgToxic Banking Trojan Variant Evolves with Anti-Analysis Upgrades

Cybersecurity researchers have discovered an updated version of an Android malware called TgToxic aka ToxicPanda, indicating that the threat actors behind it are continuously making changes in response to public reporting. "The modifications seen in the TgToxic payloads reflect the actors' ongoin...

Coyote Malware Expands Reach: Now Targets 1,030 Sites and 73 Financial Institutions

Brazilian Windows users are the target of a campaign that delivers a banking malware known as Coyote. "Once deployed, the Coyote Banking Trojan can carry out various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials,...

Download a banker to track your parcel

In late October 2024, a new scheme for distributing a certain Android banking Trojan called "Mamont" was uncovered. The victim would receive an instant message from an unknown sender asking to identify a person in a photo. The attackers would then send what appeared to be the photo itself but was...

Fake Recruiters Distribute Banking Trojan via Malicious Apps in Phishing Scam

Cybersecurity researchers have shed light on a sophisticated mobile phishing aka mishing campaign that's designed to distribute an updated version of the Antidot banking trojan. "The attackers presented themselves as recruiters, luring unsuspecting victims with job offers," Zimperium zLabs Vishnu...

Malicious QR codes sent in the mail deliver malware

Physical letters that contain a QR code to trick people into downloading malware are being sent through the mail, according to a warning issued by The Swiss National Cyber Security Centre NCSC. The letters are sent as if they come from the official Swiss Federal Office of Meteorology and...

Сrimeware and financial cyberthreats in 2025

Kaspersky's Global Research and Analysis Team constantly monitors known and emerging cyberthreats directed at the financial industry, with banks and fintech companies being the most targeted. We also closely follow threats that aim to infiltrate a wider range of industries, namely ransomware...