Mobile and RAT Malware Campaigns Targeting Asia and Banking Users
Reporting over the past week highlighted multiple active malware campaigns, including a second-stage ValleyRAT payload (ValleyRAT_S2) targeting organizations in China, Hong Kong, Taiwan, and Southeast Asia. The ValleyRAT_S2 stage was reported to spread via counterfeit productivity apps, cracked software, Chinese-language utilities, and phishing attachments, using DLL side-loading and library name mimicry to evade defenses. Post-install activity includes system reconnaissance, persistence via Steam event–masquerading callbacks, staging in %TEMP%, and capabilities such as keystroke logging and local data exfiltration.
Separately, researchers described an evolving Android banking/RAT threat dubbed deVixor, with 700+ samples observed since October 2025, distributed through fraudulent websites impersonating automotive brands to trick users into installing a malicious APK. The operation reportedly uses Telegram-based infrastructure for management and updates, with a dual-channel architecture where Firebase delivers attacker commands and a separate C2 receives stolen data; SMS-based techniques are used to harvest banking-related information. A vendor report also warned that GravityRAT has reemerged as a multi-platform RAT (Windows/macOS/Android) with expanded mobile data theft and persistence capabilities, underscoring increased targeting of smartphones for sensitive file and backup exfiltration.
Sources
Related Stories
Multiple Remote Access Trojan Campaigns Target Windows and Android via Phishing, App Stores, and Social Platforms
Threat researchers reported several unrelated **RAT-focused malware campaigns** using different delivery channels and evasion techniques. **DEAD#VAX** was described as a Windows phishing operation that delivers **AsyncRAT** via purchase-order lures, abusing **IPFS-hosted VHD** files disguised as PDFs; the mounted VHD drops a multi-stage chain using **WSF**, heavily obfuscated batch scripts, and PowerShell loaders to decrypt and execute x64 shellcode **in memory** by injecting into trusted Windows processes, minimizing on-disk artifacts. Separately, analysis of **Pulsar RAT** activity described persistence via the per-user Run key (`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`), an obfuscated batch dropper in *AppData*, PowerShell-based staging, and **Donut-generated shellcode** injection into processes such as `explorer.exe`, with anti-analysis features and data theft (credentials, wallets, tokens) exfiltrated via **Discord webhooks**. On Android, two distinct campaigns were highlighted. **Anatsa** banking malware was found distributed through **Google Play** in a trojanized “document reader” app that exceeded **50,000 downloads** before detection; the initial app acts as a loader that retrieves the full banking trojan and supports credential theft and C2-driven actions, with reporting attributing discovery and tracking to **Zscaler ThreatLabz**. **Arsink RAT** was reported spreading primarily via **Telegram/Discord** and file-sharing sites (e.g., MediaFire) through fake “mod/pro” apps impersonating major brands; research attributed to **Zimperium** cited **~45,000** victim IPs across **143 countries**, **1,216** malicious APKs, and **317** Firebase Realtime Database C2 endpoints, with capabilities including SMS/OTP theft, call log and contact harvesting, location tracking, and microphone audio capture.
1 months ago
Mobile-Focused Threat Activity: Android Banking Trojan deVixor and QR-Code Phishing Growth
Reporting highlights an **Android banking malware** campaign dubbed **deVixor** that has been aggressively targeting **Iranian users** and has evolved from an SMS harvester into a modular **RAT** with banking fraud, surveillance, and a **remotely triggered ransomware** capability. Distribution is described as **malicious APKs** delivered via phishing sites masquerading as legitimate businesses; once installed, the malware requests extensive permissions to steal **SMS/OTP data**, card and account details, and content from banks and cryptocurrency services. The tooling reportedly supports **WebView/JavaScript injection** to capture credentials, keylogging and media theft (e.g., screenshot/gallery collection), and uses **Telegram** for command-and-control. Separate reporting notes a surge in **QR code phishing (“quishing”)** against mobile users in 2025, where QR codes are used to redirect victims to credential-harvesting or otherwise malicious sites—reinforcing that mobile users are being targeted through multiple social-engineering delivery paths beyond traditional links. Two additional items reference a **China-nexus actor (UAT-7290) targeting telecoms** and **Astaroth (“Boto Cor-de-Rosa”) banking malware pivoting to WhatsApp**, but the provided excerpts contain insufficient detail to confirm they describe the same specific mobile-banking event as deVixor or the same QR-phishing reporting.
2 months ago
Social-engineering malware campaigns delivering remote-access trojans and backdoors
Recent reporting highlights multiple **social-engineering-driven malware delivery** efforts that culminate in remote access and persistent compromise. In South Korea, attackers distributed **counterfeit adult games** via popular “webhard” file-sharing services; victims received a ZIP containing a decoy `Game.exe` launcher that stages additional components (`Data1.Pak`, `Data2.Pak`, `Data3.Pak`) and ultimately injects **QuasarRAT** (aka **xRAT**), enabling host profiling, keylogging, and unauthorized file transfer. The execution chain included masqueraded artifacts such as `GoogleUpdate.exe` and `WinUpdate.db`, with AES used to decrypt/extract shellcode prior to privilege escalation and RAT injection. Separately, a spear-phishing campaign weaponized news about a purported **Nicolás Maduro arrest** to deliver a **backdoor**: emails carried a ZIP with a lure executable (`Maduro to be taken to New York.exe`) alongside a malicious DLL (`kuguo.dll`) that abuses a legitimate KuGuo binary for execution. Post-run behavior included replication to `C:\ProgramData\Technology360NB`, persistence via an auto-start renamed binary (`DataTechnology.exe`), and C2 beaconing for tasking and configuration updates; researchers noted tradecraft consistent with **Mustang Panda** but said attribution was not yet confirmed. A separate research note described **GravityRAT** reemerging as a multi-platform RAT with expanded **Android** targeting (in addition to Windows/macOS), emphasizing mobile endpoints as increasingly high-value targets for data theft and persistent access, though it did not describe the same specific campaigns as the Windows-focused lures above.
2 months ago