99 matches found
Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered
A coordinated law enforcement operation, in partnership with private sector companies, including Bitdefender, Bitsight, ESET, and Microsoft, has resulted in the takedown of criminal infrastructure powering Amadey and StealC. "The main common goal was to disrupt the 'assembly lines' cybercriminals...
StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them
In this article 1. The role of infostealers: From credential theft to intrusion 2. StealC: Infostealer for rent 3. Amadey: Malware-as-a-service for delivery of infostealers 4. Defending against StealC and Amadey intrusions 5. Microsoft Defender detections 6. Indicators of compromise Infostealers...
From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat
Cisco Talos has uncovered a BadIIS variant -- identifiable by its embedded "demo.pdb" strings -- that functions as commodity malware. This variant is likely sold or shared among multiple Chinese-speaking cybercrime groups that operate under a malware-as-a-service MaaS model for continuous...
Arkanix Stealer: a C++ & Python infostealer
Introduction In October 2025, we discovered a series of forum posts advertising a previously unknown stealer, dubbed "Arkanix Stealer" by its authors. It operated under a MaaS malware-as-a-service model, providing users not only with the implant but also with access to a control panel featuring...
New Android malware lets criminals control your phone and drain your bank account
Albiriox is a new family of Android banking malware that gives attackers live remote control over infected phones, letting them quietly drain bank and crypto accounts during real sessions. Researchers have analyzed a new Android malware family called Albiriox which is showing signs of developing...
New Albiriox MaaS Malware Targets 400+ Apps for On-Device Fraud and Screen Control
A new Android malware named Albiriox has been advertised under a malware-as-a-service MaaS model to offer a "full spectrum" of features to facilitate on-device fraud ODF, screen manipulation, and real-time interaction with infected devices. The malware embeds a hard-coded list comprising over 400...
We opened a fake invoice and fell down a retro XWorm-shaped wormhole
Somebody forwarded an “invoice” email and asked me to check the attachment because it looked suspicious. Good instinct—it was, and what we found inside was a surprisingly old trick hiding a modern threat. What it does If the recipient had opened the attached Visual Basic Script .vbs file, it woul...
New Android Trojan 'Herodotus' Outsmarts Anti-Fraud Systems by Typing Like a Human
Cybersecurity researchers have disclosed details of a new Android banking trojan called Herodotus that has been observed in active campaigns targeting Italy and Brazil to conduct device takeover DTO attacks. "Herodotus is designed to perform device takeover while making first attempts to mimic...
TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations
The threat actor behind the malware-as-a-service MaaS framework and loader called CastleLoader has also developed a remote access trojan known as CastleRAT. "Available in both Python and C variants, CastleRAT's core functionality consists of collecting system information, downloading and executin...
SocGholish Malware Spread via Ad Tools; Delivers Access to LockBit, Evil Corp, and Others
The threat actors behind the SocGholish malware have been observed leveraging Traffic Distribution Systems TDSs like Parrot TDS and Keitaro TDS to filter and redirect unsuspecting users to sketchy content. "The core of their operation is a sophisticated Malware-as-a-Service MaaS model, where...
New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud, and NFC Theft
Cybersecurity researchers have exposed the inner workings of an Android malware called AntiDot that has compromised over 3,775 devices as part of 273 unique campaigns. "Operated by the financially motivated threat actor LARVA-398, AntiDot is actively sold as a Malware-as-a-Service MaaS on...
Rust-based Myth Stealer Malware Spread via Fake Gaming Sites Targets Chrome, Firefox Users
Cybersecurity researchers have shed light on a previously undocumented Rust-based information stealer called Myth Stealer that's being propagated via fraudulent gaming websites. "Upon execution, the malware displays a fake window to appear legitimate while simultaneously decrypting and executing...
Lumma information stealer infrastructure disrupted
The US Department of Justice DOJ and Microsoft have disrupted the infrastructure of the Lumma information stealer infostealer. Lumma Stealer, also known as LummaC or LummaC2, first emerged in late 2022 and quickly established itself as one of the most prolific infostealers. Infostealers is the na...
Android malware turns phones into malicious tap-to-pay machines
Got an Android phone? Got a tap-to-pay card? Then you're like millions of other users now at risk from a new form of cybercrime - malware that can read your credit or debit card and hand its data over to an attacker. A newly discovered malicious program effectively turns Android phones into...
Lumma Stealer – Tracking distribution channels
Introduction The evolution of Malware-as-a-Service MaaS has significantly lowered the barriers to entry for cybercriminals, with information stealers becoming one of the most commercially successful categories in this underground economy. Among these threats, Lumma Stealer has emerged as a...
A Deep Dive into the Latest Version of Lumma InfoStealer
Unmasking the Evolving Threat: A Deep Dive into the Latest Version of Lumma InfoStealer with Code Flow Obfuscation By Mohideen Abdul Khader · April 21, 2025 Summary Lumma Stealer, first identified in 2022, remains a significant threat to this day, continuously evolving its tactics, techniques, an...
DCRat backdoor returns
Since the beginning of the year, we've been tracking in our telemetry a new wave of DCRat distribution, with paid access to the backdoor provided under the Malware-as-a-Service MaaS model. The cybercriminal group behind it also offers support for the malware and infrastructure setup for hosting t...
Google Docs used by infostealer ACRStealer as part of attack
An infostealer known as ACRStealer is using legitimate platforms like Google Docs and Steam as part of an attack, according to researchers. ACRStealer is often distributed via the tried and tested method of download as cracks and keygens, which are used in software piracy. The infostealer has bee...
New Banshee Stealer Variant Bypasses Antivirus with Apple's XProtect-Inspired Encryption
Cybersecurity researchers have uncovered a new, stealthier version of a macOS-focused information-stealing malware called Banshee Stealer. "Once thought dormant after its source code leak in late 2024, this new iteration introduces advanced string encryption inspired by Apple's XProtect," Check...
More_eggs MaaS Expands Operations with RevC2 Backdoor and Venom Loader
The threat actors behind the Moreeggs malware have been linked to two new malware families, indicating an expansion of its malware-as-a-service MaaS operation. This includes a novel information-stealing backdoor called RevC2 and a loader codenamed Venom Loader, both of which are deployed using...