Malware

SuperCard

SuperCard is an Android banking trojan described as a modified version of the legitimate open-source NFC relay tool NFCGate. It has been reported as developed in China and offered as malware-as-a-service, and has been used in attacks against banks in Europe and Russia, including bank customers in Italy. The malware supports NFC cloning/relay attacks and is used for financial theft by enabling attackers to emulate victims’ payment cards. In related NFCGate-based campaigns documented in Russia, malicious Android apps were distributed via WhatsApp and Telegram while masquerading as legitimate bank software. Victims were socially engineered by phone to install the app, then during a fake authorization flow were instructed to tap their bank card to the back of the phone and enter their PIN. This allowed attackers to capture card data and use the harvested credentials to withdraw cash from ATMs without the victim’s physical card. Reporting cited in the content notes increasing abuse of NFCGate-derived malware, with SuperCard specifically identified as one such variant deployed against bank customers in Russia and Italy.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

the record mediaNews

Dec 8, 2025

Russian police bust bank-account hacking gang that used NFCGate-based malware

A modified NFCGate-based malware variant used for data theft and card emulation/relay attacks against bank customers.

risky biz rssNews

Jun 18, 2025

Risky Bulletin: Chrome gets a new prompt to prevent sneaky local network attacks

Android banking trojan (MaaS) used against banks; supports NFC cloning/relay to facilitate account theft.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.