Mobile and RAT Malware Campaigns Targeting Asia and Banking Users
Reporting over the past week highlighted multiple active malware campaigns, including a second-stage ValleyRAT payload (ValleyRAT_S2) targeting organizations in China, Hong Kong, Taiwan, and Southeast Asia. The ValleyRAT_S2 stage was reported to spread via counterfeit productivity apps, cracked software, Chinese-language utilities, and phishing attachments, using DLL side-loading and library name mimicry to evade defenses. Post-install activity includes system reconnaissance, persistence via Steam event–masquerading callbacks, staging in %TEMP%, and capabilities such as keystroke logging and local data exfiltration.
Separately, researchers described an evolving Android banking/RAT threat dubbed deVixor, with 700+ samples observed since October 2025, distributed through fraudulent websites impersonating automotive brands to trick users into installing a malicious APK. The operation reportedly uses Telegram-based infrastructure for management and updates, with a dual-channel architecture where Firebase delivers attacker commands and a separate C2 receives stolen data; SMS-based techniques are used to harvest banking-related information. A vendor report also warned that GravityRAT has reemerged as a multi-platform RAT (Windows/macOS/Android) with expanded mobile data theft and persistence capabilities, underscoring increased targeting of smartphones for sensitive file and backup exfiltration.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
ValleyRAT_S2 campaign targets East and Southeast Asian organizations
Reporting on January 13, 2026 described organizations in China, Hong Kong, Taiwan, and Southeast Asia being targeted with the second-stage malware ValleyRAT_S2. The malware is spread through counterfeit productivity apps, cracked software, Chinese-language utilities, and phishing emails, and uses DLL side-loading, persistence mechanisms, keystroke logging, and local data exfiltration.
GravityRAT reemerges with Android targeting
Researchers reported that GravityRAT, previously known for targeting Windows and macOS, has expanded to Android devices. The malware can maintain persistent access and exfiltrate sensitive mobile data including documents, photos, and encrypted backups.
Researchers identify more than 700 deVixor samples
Analysis published in mid-January 2026 reported over 700 deVixor samples, indicating a large-scale and actively maintained malware operation. The campaign uses Telegram-based administration and Firebase for command delivery, with a separate C2 channel for exfiltrated data.
deVixor evolves into a full-featured Android RAT with ransomware
Researchers found deVixor expanded from basic SMS harvesting into a more capable Android banking trojan and RAT. Its newer functionality includes credential theft through WebView-based JavaScript injection, keylogging, OTP and notification theft, Accessibility Service abuse, and a ransomware module that can lock devices and demand 50 TRX in TRON cryptocurrency.
deVixor campaign begins targeting Iranian banking users
The Android malware campaign involving deVixor has reportedly been active since October 2025, initially targeting Iranian banking users. Victims were lured through phishing websites posing as automotive businesses and offering unrealistic vehicle discounts to induce installation of a malicious APK.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
New Android malware ‘deVixor’ adds ransomware capabilities | SC Media
scworld.com
Open sourceSecond stage ValleyRAT payload emerges | SC Media
scworld.com
Open sourceAndroid Banking Malware deVixor Actively Targeting Users with Ransomware Capabilities
cybersecuritynews.com
Open sourceGravityRAT Expands Remote Access Threats to Mobile Devices
zimperium.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Remote Access Trojan Campaigns Target Windows and Android via Phishing, App Stores, and Social Platforms
Threat researchers reported several unrelated **RAT-focused malware campaigns** using different delivery channels and evasion techniques. **DEAD#VAX** was described as a Windows phishing operation that delivers **AsyncRAT** via purchase-order lures, abusing **IPFS-hosted VHD** files disguised as PDFs; the mounted VHD drops a multi-stage chain using **WSF**, heavily obfuscated batch scripts, and PowerShell loaders to decrypt and execute x64 shellcode **in memory** by injecting into trusted Windows processes, minimizing on-disk artifacts. Separately, analysis of **Pulsar RAT** activity described persistence via the per-user Run key (`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`), an obfuscated batch dropper in *AppData*, PowerShell-based staging, and **Donut-generated shellcode** injection into processes such as `explorer.exe`, with anti-analysis features and data theft (credentials, wallets, tokens) exfiltrated via **Discord webhooks**. On Android, two distinct campaigns were highlighted. **Anatsa** banking malware was found distributed through **Google Play** in a trojanized “document reader” app that exceeded **50,000 downloads** before detection; the initial app acts as a loader that retrieves the full banking trojan and supports credential theft and C2-driven actions, with reporting attributing discovery and tracking to **Zscaler ThreatLabz**. **Arsink RAT** was reported spreading primarily via **Telegram/Discord** and file-sharing sites (e.g., MediaFire) through fake “mod/pro” apps impersonating major brands; research attributed to **Zimperium** cited **~45,000** victim IPs across **143 countries**, **1,216** malicious APKs, and **317** Firebase Realtime Database C2 endpoints, with capabilities including SMS/OTP theft, call log and contact harvesting, location tracking, and microphone audio capture.
Mar 21, 2026
Mobile-Focused Threat Activity: Android Banking Trojan deVixor and QR-Code Phishing Growth
Reporting highlights an **Android banking malware** campaign dubbed **deVixor** that has been aggressively targeting **Iranian users** and has evolved from an SMS harvester into a modular **RAT** with banking fraud, surveillance, and a **remotely triggered ransomware** capability. Distribution is described as **malicious APKs** delivered via phishing sites masquerading as legitimate businesses; once installed, the malware requests extensive permissions to steal **SMS/OTP data**, card and account details, and content from banks and cryptocurrency services. The tooling reportedly supports **WebView/JavaScript injection** to capture credentials, keylogging and media theft (e.g., screenshot/gallery collection), and uses **Telegram** for command-and-control. Separate reporting notes a surge in **QR code phishing (“quishing”)** against mobile users in 2025, where QR codes are used to redirect victims to credential-harvesting or otherwise malicious sites—reinforcing that mobile users are being targeted through multiple social-engineering delivery paths beyond traditional links. Two additional items reference a **China-nexus actor (UAT-7290) targeting telecoms** and **Astaroth (“Boto Cor-de-Rosa”) banking malware pivoting to WhatsApp**, but the provided excerpts contain insufficient detail to confirm they describe the same specific mobile-banking event as deVixor or the same QR-phishing reporting.
Mar 21, 2026
Social-engineering malware campaigns delivering remote-access trojans and backdoors
Recent reporting highlights multiple **social-engineering-driven malware delivery** efforts that culminate in remote access and persistent compromise. In South Korea, attackers distributed **counterfeit adult games** via popular “webhard” file-sharing services; victims received a ZIP containing a decoy `Game.exe` launcher that stages additional components (`Data1.Pak`, `Data2.Pak`, `Data3.Pak`) and ultimately injects **QuasarRAT** (aka **xRAT**), enabling host profiling, keylogging, and unauthorized file transfer. The execution chain included masqueraded artifacts such as `GoogleUpdate.exe` and `WinUpdate.db`, with AES used to decrypt/extract shellcode prior to privilege escalation and RAT injection. Separately, a spear-phishing campaign weaponized news about a purported **Nicolás Maduro arrest** to deliver a **backdoor**: emails carried a ZIP with a lure executable (`Maduro to be taken to New York.exe`) alongside a malicious DLL (`kuguo.dll`) that abuses a legitimate KuGuo binary for execution. Post-run behavior included replication to `C:\ProgramData\Technology360NB`, persistence via an auto-start renamed binary (`DataTechnology.exe`), and C2 beaconing for tasking and configuration updates; researchers noted tradecraft consistent with **Mustang Panda** but said attribution was not yet confirmed. A separate research note described **GravityRAT** reemerging as a multi-platform RAT with expanded **Android** targeting (in addition to Windows/macOS), emphasizing mobile endpoints as increasingly high-value targets for data theft and persistent access, though it did not describe the same specific campaigns as the Windows-focused lures above.
Mar 21, 2026