AI tool Vercel was abused by cybercriminals to create a Malwarebytes lookalike website.
Cybercriminals no longer need design or coding skills to create a convincing fake brand site. All they need is a domain name and an AI website builder. In minutes, they can clone a siteβs look and feel, plug in payment or credential-stealing flows, and start luring victims through search, social media, and spam.
One side effect of being anΒ establishedΒ and trusted brand is that you attract copycats who want a slice of that trust without doing any of the work. Cybercriminals have always known it is much easier to trick users by impersonating something they already recognize than by inventing something newβand developments in AI have made it trivial for scammers to create convincing fake sites.ββ
Registering a plausible-looking domain is cheap and fast, especially through registrars and resellers that do little or no upfront vetting. Once attackers have a name that looks close enough to the real thing, they can use AI-powered tools to copy layouts, colors, and branding elements, and generate product pages, sign-up flows, and FAQs that look βon brand.β
Over a threeβmonth period leading into the 2025 shopping season, researchers observed more than 18,000 holidayβthemed domains with lures like βChristmas,β βBlack Friday,β and βFlash Sale,β with at least 750 confirmed as malicious and many more still under investigation. In the same window, about 19,000 additional domains were registered explicitly to impersonate major retail brands, nearly 3,000 of which were already hosting phishing pages or fraudulent storefronts.
These sites are used for everything from credential harvesting and payment fraud to malware delivery disguised as βorder trackersβ or βsecurity updates.β
Attackers then boost visibility using SEO poisoning, ad abuse, and comment spam, nudging their lookalike sites into search results and promoting them in social feeds right next to the legitimate ones. From a userβs perspective, especially on mobile without the hover function, that fake site can be only a typo or a tap away.β
When the impersonation hits home
A recent example shows how low the barrier to entry has become.
We were alerted to a site at installmalwarebytes[.]org that masqueraded from logo to layout as a genuine Malwarebytes site.
Close inspection revealed that the HTML carried a meta tag value pointing to v0 by Vercel, an AI-assisted app and website builder.
The tool lets users paste an existing URL into a prompt to automatically recreate its layout, styling, and structureβproducing a nearβperfect clone of a site in very little time.
The history of the imposter domain tells an incremental evolution into abuse.
Registered in 2019, the site did not initially contain any Malwarebytes branding. In 2022, the operator began layering in Malwarebytes branding while publishing Indonesianβlanguage security content. This likely helped with search reputation while normalizing the brand look to visitors. Later, the site went blank, with no public archive records for 2025, only to resurface as a full-on clone backed by AIβassisted tooling.β
Traffic did not arrive by accident. Links to the site appeared in comment spam and injected links on unrelated websites, giving users the impression of organic references and driving them toward the fake download pages.
Payment flows were equally opaque. The fake site used PayPal for payments, but the integration hid the merchantβs name and logo from the user-facing confirmation screens, leaving only the buyerβs own details visible. That allowed the criminals to accept money while revealing as little about themselves as possible.
Behind the scenes, historical registration data pointed to an origin in India and to a hosting IP (209.99.40[.]222) associated with domain parking and other dubious uses rather than normal production hosting.
Combined with the AIβpowered cloning and the evasive payment configuration, it painted a picture of lowβeffort, highβconfidence fraud.
AI website builders as force multipliers
The installmalwarebytes[.]org case is not an isolated misuse of AIβassisted builders. It fits into a broader pattern of attackers using generative tools to create and host phishing sites at scale.
Threat intelligence teams have documented abuse of Vercelβs v0 platform to generate fully functional phishing pages that impersonate signβin portals for a variety of brands, including identity providers and cloud services, all from simple text prompts. Once the AI produces a clone, criminals can tweak a few links to point to their own credentialβstealing backends and go live in minutes.
Research into AIβs role in modern phishing shows that attackers are leaning heavily on website generators, writing assistants, and chatbots to streamline the entire kill chainβfrom crafting persuasive copy in multiple languages to spinning up responsive pages that render cleanly across devices. One analysis of AIβassisted phishing campaigns found that roughly 40% of observed abuse involved website generation services, 30% involved AI writing tools, and about 11% leveraged chatbots, often in combination. This stack lets even lowβskilled actors produce professional-looking scams that used to require specialized skills or paid kits.β
Growth first, guardrails later
The core problem is not that AI can build websites. Itβs that the incentives around AI platform development are skewed. Vendors are under intense pressure to ship new capabilities, grow user bases, and capture market share, and that pressure often runs ahead of serious investment in abuse prevention.
As Malwarebytes General Manager Mark Beare put it:
βAI-powered website builders like Lovable and Vercel have dramatically lowered the barrier for launching polished sites in minutes. While these platforms include baseline security controls, their core focus is speed, ease of use, and growthβnot preventing brand impersonation at scale. That imbalance creates an opportunity for bad actors to move faster than defenses, spinning up convincing fake brands before victims or companies can react.β
Site generators allow cloned branding of wellβknown companies with no verification, publishing flows skip identity checks, and moderation either fails quietly or only reacts after an abuse report. Some builders let anyone spin up and publish a site without even confirming an email address, making it easy to burn through accounts as soon as one is flagged or taken down.
To be fair, there are signs that some providers are starting to respond by blocking specific phishing campaigns after disclosure or by adding limited brand-protection controls. But these are often reactive fixes applied after the damage is done.
Meanwhile, attackers can move to openβsource clones or lightly modified forks of the same tools hosted elsewhere, where there may be no meaningful content moderation at all.
In practice, the net effect is that AI companies benefit from the growth and experimentation that comes with permissive tooling, while the consequences is left to victims and defenders.
We have blocked the domain in our web protection module and requested a domain and vendor takedown.
How to stay safe
End users cannot fix misaligned AI incentives, but they can make life harder for brand impersonators. Even when a cloned website looks convincing, there are red flags to watch for:
Before completing any payment, always review the βPay toβ details or transaction summary. If no merchant is named, back out and treat the site as suspicious.
Do not follow links posted in comments, on social media, or unsolicited emails to buy a product. Always follow a verified and trusted method to reach the vendor.
If you come across a fake Malwarebytes website, please let us know.
We donβt just report on threatsβwe help safeguard your entire digital identity
Fresh off a breathless Super Bowl Sunday, weβre less thrilled to bring you this weekβs Weirdo Wednesday. Two stories caught our eye, both involving men who crossed clear lines and invaded womenβs privacy online.
Last week, 27-year-old Kyle Svara of Oswego, Illinois admitted to hacking womenβs Snapchat accounts across the US. Between May 2020 and February 2021, Svara harvested account security codes from 571 victims, leading to confirmed unauthorized access to at least 59 accounts.
Rather than attempting to break Snapchatβs robust encryption protocols, Svara targeted the account owners themselves with social engineering.
After gathering phone numbers and email addresses, he triggered Snapchatβs legitimate login process, which sent six-digit security codes directly to victimsβ devices. Posing as Snapchat support, he then sent more than 4,500 anonymous messages via a VoIP texting service, claiming the codes were needed to βverifyβ or βsecureβ the account.
Svara showed particular interest in Snapchatβs My Eyes Only featureβa secondary four-digit PIN meant to protect a userβs most sensitive content. By persuading victims to share both codes, he bypassed two layers of security without touching a single line of code. He walked away with private material, including nude images.
Svara didnβt do this solely for his own kicks. He marketed himself as a hacker-for-hire, advertising on platforms like Reddit and offering access to specific accounts in exchange for money or trades.
Selling his services to others was how he got found out. Although Svara stopped hacking in early 2021, his legal day of reckoning followed the 2024 sentencing of one of his customers: Steve Waithe, a former track and field coach who worked at several high-profile universities including Northeastern. Waithe paid Svara to target student athletes he was supposed to mentor.
Svara also went after women in his home area of Plainfield, Illinois, and as far away as Colby College in Maine.
He now faces charges including identity theft, wire fraud, computer fraud, and making false statements to law enforcement about child sex abuse material. Sentencing is scheduled for May 18.
How to protect your Snapchat account
Never send someone your login details or secret codes, even if you think you know them.
Passkeys let you sign in without a password, but unlike multi-factor authentication, passkeys are cryptographically tied to your device, and canβt be phished or forwarded like one-time codes. Snapchat supports them, and they offer stronger protection than traditional multi-factor authentication, which is increasingly susceptible to smart phishing attacks.
Bad guys with smart glasses
Unfortunately, hacking womenβs social media accounts to steal private content isnβt new. But predators will always find a way to use smart tech in nefarious ways. Such is the case with new generations of βsmart glassesβ powered by AI.
This week, CNN published stories from women who believed they were having private, flirtatious interactions with strangersβonly to later discover the men were recording them using camera-equipped smart glasses and posting the footage online.
These clips are often packaged as βrizzβ videosβshort for βcharismaββwhere so-called manfluencers film themselves chatting up women in public, without consent, to build followings and sell βcoachingβ services.
The glasses, sold by companies like Meta, are supposed to be used for recording only with consent, and often display a light to show that theyβre recording. In practice, that indicator is easy to hide.
When combined with AI-powered services to identify people, as researchers did in 2024, the possibilities become even more chilling. Weβre unaware of any related cases coming to court, but suspect itβs only a matter of time.
We donβt just report on scamsβwe help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if itβs a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and weβllΒ tell you if itβs a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victimsβ machines into residential proxy nodesβand it has been hiding in plain sight for some time.
βIβm so sick to my stomachβ
A PC builder recently turned to Redditβs r/pcmasterrace community in a panic after realizing they had downloaded 7βZip from the wrong website. Following a YouTube tutorial for a new build, they were instructed to download 7βZip from 7zip[.]com, unaware that the legitimate project is hosted exclusively at 7-zip.org.
In their Reddit post, the user described installing the file first on a laptop and later transferring it via USB to a newly built desktop. They encountered repeated 32βbit versus 64βbit errors and ultimately abandoned the installer in favor of Windowsβ builtβin extraction tools. Nearly two weeks later, Microsoft Defender alerted on the system with a generic detection: Trojan:Win32/Malgent!MSR.
The experience illustrates how a seemingly minor domain mix-up can result in long-lived, unauthorized use of a system when attackers successfully masquerade as trusted software distributors.
A trojanized installer masquerading as legitimate software
This is not a simple case of a malicious download hosted on a random site. The operators behind 7zip[.]com distributed a trojanized installer via a lookalike domain, delivering a functional copy of functional 7βZip File Manager alongside a concealed malware payload.
The installer is Authenticodeβsigned using a nowβrevoked certificate issued to Jozeal Network Technology Co., Limited, lending it superficial legitimacy. During installation, a modified build of 7zfm.exe is deployed and functions as expected, reducing user suspicion. In parallel, three additional components are silently dropped:
All components are written to C:\Windows\SysWOW64\hero\, a privileged directory that is unlikely to be manually inspected.
An independent update channel was also observed at update.7zip[.]com/version/win-service/1.0.0.2/Uphero.exe.zip, indicating that the malware payload can be updated independently of the installer itself.
Abuse of trusted distribution channels
One of the more concerning aspects of this campaign is its reliance on thirdβparty trust. The Reddit case highlights YouTube tutorials as an inadvertent malware distribution vector, where creators incorrectly reference 7zip.com instead of the legitimate domain.
This shows how attackers can exploit small errors in otherwise benign content ecosystems to funnel victims toward malicious infrastructure at scale.
Execution flow: from installer to persistent proxy service
Behavioral analysis shows a rapid and methodical infection chain:
1. File deploymentβThe payload is installed into SysWOW64, requiring elevated privileges and signaling intent for deep system integration.
2. Persistence via Windows servicesβBoth Uphero.exe and hero.exe are registered as autoβstart Windows services running under System privileges, ensuring execution on every boot.
3. Firewall rule manipulationβThe malware invokes netsh to remove existing rules and create new inbound and outbound allow rules for its binaries. This is intended to reduce interference with network traffic and support seamless payload updates.
4. Host profilingβUsing WMI and native Windows APIs, the malware enumerates system characteristics including hardware identifiers, memory size, CPU count, disk attributes, and network configuration. The malware communicates with iplogger[.]org via a dedicated reporting endpoint, suggesting it collects and reports device or network metadata as part of its proxy infrastructure.
Functional goal: residential proxy monetization
While initial indicators suggested backdoorβstyle capabilities, further analysis revealed that the malwareβs primary function is proxyware. The infected host is enrolled as a residential proxy node, allowing third parties to route traffic through the victimβs IP address.
The hero.exe component retrieves configuration data from rotating βsmsheroββthemed commandβandβcontrol domains, then establishes outbound proxy connections on nonβstandard ports such as 1000 and 1002. Traffic analysis shows a lightweight XORβencoded protocol (key 0x70) used to obscure control messages.
This infrastructure is consistent with known residential proxy services, where access to real consumer IP addresses is sold for fraud, scraping, ad abuse, or anonymity laundering.
Shared tooling across multiple fake installers
The 7βZip impersonation appears to be part of a broader operation. Related binaries have been identified under names such as upHola.exe, upTiktok, upWhatsapp, and upWire, all sharing identical tactics, techniques, and procedures:
Deployment to SysWOW64
Windows service persistence
Firewall rule manipulation via netsh
Encrypted HTTPS C2 traffic
Embedded strings referencing VPN and proxy brands suggest a unified backend supporting multiple distribution fronts.
Rotating infrastructure and encrypted transport
Memory analysis uncovered a large pool of hardcoded command-and-control domains using hero and smshero naming conventions. Active resolution during sandbox execution showed traffic routed through Cloudflare infrastructure with TLSβencrypted HTTPS sessions.
The malware also uses DNS-over-HTTPS via Googleβs resolver, reducing visibility for traditional DNS monitoring and complicating network-based detection.
Evasion and antiβanalysis features
The malware incorporates multiple layers of sandbox and analysis evasion:
Virtual machine detection targeting VMware, VirtualBox, QEMU, and Parallels
Antiβdebugging checks and suspicious debugger DLL loading
Runtime API resolution and PEB inspection
Process enumeration, registry probing, and environment inspection
Cryptographic support is extensive, including AES, RC4, Camellia, Chaskey, XOR encoding, and Base64, suggesting encrypted configuration handling and traffic protection.
Defensive guidance
Any system that has executed installers from 7zip.com should be considered compromised. While this malware establishes SYSTEMβlevel persistence and modifies firewall rules, reputable security software can effectively detect and remove the malicious components. Malwarebytes is capable of fully eradicating known variants of this threat and reversing its persistence mechanisms. In highβrisk or heavily used systems, some users may still choose a full OS reinstall for absolute assurance, but it is not strictly required in all cases.
Users and defenders should:
Verify software sources and bookmark official project domains
Treat unexpected codeβsigning identities with skepticism
Monitor for unauthorized Windows services and firewall rule changes
Block known C2 domains and proxy endpoints at the network perimeter
Researcher attribution and community analysis
This investigation would not have been possible without the work of independent security researchers who went deeper than surface-level indicators and identified the true purpose of this malware family.
Luke Acha provided the first comprehensive analysis showing that the Uphero/hero malware functions as residential proxyware rather than a traditional backdoor. His work documented the proxy protocol, traffic patterns, and monetization model, and connected this campaign to a broader operation he dubbed upStage Proxy. Lukeβs full write-up is available on his blog.
s1dhy expanded on this analysis by reversing and decoding the custom XOR-based communication protocol, validating the proxy behavior through packet captures, and correlating multiple proxy endpoints across victim geolocations. Technical notes and findings were shared publicly on X (Twitter).
Additional technical validation and dynamic analysis were published by researchers at RaichuLab on Qiita and WizSafe Security on IIJ.
Their collective work highlights the importance of open, community-driven research in uncovering long-running abuse campaigns that rely on trust and misdirection rather than exploits.
Closing thoughts
This campaign demonstrates how effective brand impersonation combined with technically competent malware can operate undetected for extended periods. By abusing user trust rather than exploiting software vulnerabilities, attackers bypass many traditional security assumptionsβturning everyday utility downloads into longβlived monetization infrastructure.
Malwarebytes detects and blocks known variants of this proxyware family and its associated infrastructure.
It started with an email that looked boringly familiar: Apple logo, a clean layout, and a subject line designed to make the targetβs stomach drop.
The message claimed Apple has stopped a highβvalue Apple Pay charge at an Apple Store, complete with a case ID, timestamp, and a warning that the account could be at risk if the target doesnβt respond.β
In some cases, there was even an βappointmentβ booked on their behalf to βreview fraudulent activity,β plus a phone number they should call immediately if the time didnβt work.β Nothing in the email screams amateur. The display name appears to be Apple, the formatting closely matches real receipts, and the language hits all the right anxiety buttons.
The email warns recipients not to Apple Pay until theyβve spoken to βApple Billing & Fraud Prevention,β and it provides a phone number to call.β
After dialing the number, an agent introduces himself as part of Appleβs fraud department and asks for details such as Apple ID verification codes or payment information.
The conversation is carefully scripted to establish trust. The agent explains that criminals attempted to use Apple Pay in a physical Apple Store and that the system βpartially blockedβ the transaction. To βfully secureβ the account, he says, some details need to be verified.
The call starts with harmlessβsounding checks: your name, the last four digits of your phone number, what Apple devices you own, and so on.
Next comes a request to confirm the Apple ID email address. While the victim is looking it up, a real-looking Apple ID verification code arrives by text message.
The agent asks for this code, claiming itβs needed to confirm theyβre speaking to the rightful account owner. In reality, the scammer is logging into the account in real time and using the code to bypass two-factor authentication.
Once the account is βconfirmed,β the agent walks the victim through checking their bank and Apple Pay cards. They ask questions about bank accounts and suggest βtemporarily securingβ payment methods so criminals canβt exploit them while the βApple teamβ investigates.
The entire support process is designed to steal login codes and payment data. At scale, campaigns like this work because Appleβs brand carries enormous trust, Apple Pay involves real money, and users have been trained to treat fraud alerts as urgent and to cooperate with βsupportβ when theyβre scared.
One example submitted to Malwarebytes Scam Guard showed an email claiming an Apple Gift Card purchase for $279.99 and urging the recipient to call a support number (1-812-955-6285).
Another user submitted a screenshot showing a fake βInvoice Receipt β Paidβ styled to look like an Apple Store receipt for a 2025 MacBook Air 13-inch laptop with M4 chip priced at $1,157.07 and a phone number (1-805-476-8382) to call about this βunauthorized transaction.β
What you should know
Apple doesnβt set up fraud appointments through email. The company also doesnβt ask users to fix billing problems by calling numbers in unsolicited messages.
Closely inspect the senderβs address. In these cases, the email doesnβt come from an official Apple domain, even if the display name makes it seem legitimate.
Never share two-factor authentication (2FA) codes, SMS codes, or passwords with anyone, even if they claim to be from Apple.
Ignore unsolicited messages urging you to take immediate action. Always think and verify before you engage. Talk to someone you trust if youβre not sure.
Malwarebytes Scam Guard helped several users identify this type of scam. For those without a subscription, you can use Scam Guard in ChatGPT.
If youβve already engaged with these Apple Pay scammers, it is important to:
Change the Apple ID password immediately from Settings or appleid.apple.com, not from any link provided by email or SMS.
Check active sessions, sign out of all devices, then sign back in only on devices you recognize and control.
Rotate your Apple ID password again if you see any new login alerts, and confirm 2FA is still enabled. If not, turn it on.
In Wallet, check every card for unfamiliar Apple Pay transactions and recent in-store or online charges. Monitor bank and credit card statements closely for the next few weeks and dispute any unknown transactions immediately.
Check if the primary email account tied to your Apple ID is yours, since control of that email can be used to take over accounts.
We donβt just report on scamsβwe help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if itβs a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and weβllΒ tell you if itβs a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Imagine our surprise when we ended up on a site promoting that same Freecash app while investigating a βcloud storageβ phish. Weβve all probably seen one of those. Theyβre common enough and according to recent investigation by BleepingComputer, thereβs a
βlarge-scale cloud storage subscription scam campaign targeting users worldwide with repeated emails falsely warning recipients that their photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure.β
Based on the description in that article, the email we found appears to be part of this campaign.
The subject line of the email is:
β{Recipient}. Your Cloud Account has been locked on Sat, 24 Jan 2026 09:57:55 -0500. Your photos and videos will be removed!β
This matches one of the subject lines that BleepingComputer listed.
And the content of the email:
βPayment Issue β Cloud Storage
Dear User,
We encountered an issue while attempting to renew your Cloud Storage subscription.
Unfortunately, your payment method has expired. To ensure your Cloud continues without interruption, please update your payment details.
Subscription ID: 9371188
Product: Cloud Storage Premium
Expiration Date: Sat,24 Jan-2026
If you do not update your payment information, you may lose access to your Cloud Storage, which may prevent you from saving and syncing your data such as photos, videos, and documents.
Update Payment Details {link button}
Security Recommendations:
Always access your account through our official website
Never share your password with anyone
Ensure your contact and billing information are up to dateβ
The link in the email leads to Β https://storage.googleapis[.]com/qzsdqdqsd/dsfsdxc.html#/redirect.html, which helps the scammer establish a certain amount of trust because it points to Google Cloud Storage (GCS). GCS is a legitimate service that allows authorized users to store and manage data such as files, images, and videos in buckets. However, as in this case, attackers can abuse it for phishing.
The redirect carries some parameters to the next website.
The feed.headquartoonjpn[.]com domain was blocked by Malwarebytes. Weβve seen it before in an earlier campaign involving an Endurance-themed phish.
After a few more redirects, we ended up at hx5.submitloading[.]com, where a fake CAPTCHA triggered the last redirect to freecash[.]com, once it was solved.
The end goal of this phish likely depends on the parameters passed along during the redirects, so results may vary.
Rather than stealing credentials directly, the campaign appears designed to monetize traffic, funneling victims into affiliate offers where the operators get paid for sign-ups or conversions.
BleepingComputer noted that they were redirected to affiliate marketing websites for various products.
βProducts promoted in this phishing campaign include VPN services, little-known security software, and other subscription-based offerings with no connection to cloud storage.β
How to stay safe
Ironically, the phishing email itself includes some solid advice:
Always access your account through our official website.
Never share your password with anyone.
Weβd like to add:
Never click on links in unsolicited emails without verifying with a trusted source.
Do not engage with websites that attract visitors like this.
Pro tip: Malwarebytes Scam Guard would have helped you identify this email as a scam and provided advice on how to proceed.
Redirect flow (IOCs)
storage.googleapis[.]com/qzsdqdqsd/dsfsdxc.html
feed.headquartoonjpn[.]com
revivejudgemental[.]com
hx5.submitloading[.]com
freecash[.]com
Update February 5, 2026
Almedia GmbH, the company behind the Freecash platform, reached out to us for information about the chain of redirects that lead to their platform. And after an investigation they notified us that:
βFollowing Malwarebytesβ reporting and the additional information they shared with us, we investigated the issue and identified an affiliate operating in breach of our policies. That partner has been removed from our network.
Almedia does not sell user data, and we take compliance, user trust, and responsible advertising seriously.β
We donβt just report on scamsβwe help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if itβs a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and weβllΒ tell you if itβs a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
It soundsΒ friendly,Β familiarΒ and quiteΒ harmless.Β But in aΒ scamΒ we recentlyΒ spotted, thatΒ simpleΒ phrase is beingΒ usedΒ to trick victims into installing a full remote access tool on theirΒ WindowsΒ computersβgiving attackers complete control of the system.Β
What appears to be aΒ casual party or event invitationΒ leads toΒ the silent installation ofΒ ScreenConnect, a legitimate remoteΒ supportΒ toolΒ quietly installedΒ in the background and abused byΒ attackers.Β
Hereβs how theΒ scamΒ works, whyΒ itβsΒ effective, andΒ how to protect yourself.Β
TheΒ email: AΒ partyΒ invitationΒ
Victims receive an email framed as a personal invitationβoften written to look like it came from a friend or acquaintance. The message is deliberately informal and social, lowering suspicion and encouraging quick action.Β
In the screenshot below, the email arrived from a friend whose email account had been hacked, but it could just as easily come from a sender you donβt know.
So far,Β weβveΒ only seenΒ thisΒ campaignΒ targetingΒ peopleΒ in theΒ UK,Β butΒ thereβs nothingΒ stoppingΒ it from expandingΒ elsewhere.Β
Clicking the link in the email leadsΒ to a polishedΒ invitationΒ page hosted on an attacker-controlled domain.Β
TheΒ invite: TheΒ landing pageΒ thatΒ leads to an installerΒ
The landing page leans heavily into theΒ partyΒ theme,Β but instead of showing event details, the pageΒ nudgesΒ the user toward opening a file. None of them look dangerous on their own, but together theyΒ keep the user focused on theΒ βinvitationβΒ file:Β
A boldΒ βYouβre Invited!βΒ headlineΒ
The suggestion that aΒ friend had sent the invitationΒ
AΒ messageΒ sayingΒ the invitation is best viewed on aΒ Windows laptop or desktop
A countdownΒ suggestingΒ yourΒ invitation is already βdownloadingβΒ
A message implying urgency and social proof (βI opened mine and it was so easy!β)Β
Within seconds, the browser is redirected to downloadΒ RSVPPartyInvitationCard.msiΒ
The page even triggers the download automatically to keep the victim moving forward without stopping to think.Β
This MSI fileΒ isnβtΒ an invitation.Β ItβsΒ an installer.Β
TheΒ guest: What the MSIΒ actuallyΒ doesΒ
When theΒ user opens theΒ MSI file, it launchesΒ msiexec.exeΒ andΒ silentlyΒ installsΒ ScreenConnectΒ Client, a legitimate remote access tool often used by IT support teams.Β Β
ThereβsΒ noΒ invitation, RSVP form, or calendar entry.Β
Once installed, the ScreenConnect client initiates encrypted outbound connections to ScreenConnectβs relay servers, including a uniquely assigned instance domain.
That connectionΒ givesΒ the attacker theΒ same level of access as a remote ITΒ technician, including theΒ ability to:Β
SeeΒ the victimβs screen in real time
ControlΒ theΒ mouse and keyboardΒ
Upload or downloadΒ filesΒ
KeepΒ accessΒ even after the computer is restartedΒ
BecauseΒ ScreenConnectΒ is legitimate softwareΒ commonlyΒ usedΒ for remote support,Β its presenceΒ isnβtΒ always obvious. On a personal computer, the first signs are often behavioral, such as unexplained cursor movement, windows opening on their own, or a ScreenConnect process the user doesnβt remember installing.Β
WhyΒ thisΒ scamΒ worksΒ
This campaign is effective because it targetsΒ normal, predictable human behavior. From a behavioral security standpoint, it exploitsΒ our naturalΒ curiosityΒ andΒ appears to beΒ a lowΒ risk.Β
Most peopleΒ donβtΒ think of invitations as dangerous. Opening one feels passive,Β like glancing at a flyer or checking a message, not installing software.Β
Even security-aware users are trained to watch out for warnings and pressure. A friendly βyouβre invitedβ messageΒ doesnβtΒ trigger those alarms.Β
By the time something feels off, the software is already installed.Β
Signs your computer may be affectedΒ
Watch for:Β
A download or executed file namedΒ RSVPPartyInvitationCard.msiΒ
AΒ Windows serviceΒ namedΒ ScreenConnectΒ ClientΒ with random charactersΒ Β
Your computer makes outbound HTTPS connections toΒ ScreenConnectΒ relay domainsΒ
Your system resolvesΒ the invitation-hosting domain used in this campaign,Β xnyr[.]digitalΒ
How to stay safeΒ Β
This campaign is a reminder that modern attacks oftenΒ donβtΒ break inβtheyβreΒ invited in.Β Remote access tools give attackers deep control over a system. Acting quickly can limitΒ the damage.Β Β
For individualsΒ
If you receive an email like this:Β
Be suspicious of invitations that ask you to download or open softwareΒ
Never run MSI files from unsolicited emailsΒ
Verify invitations through another channel before opening anythingΒ
If you already clicked or ran the file:Β Β
Disconnect from the internetΒ immediatelyΒ
Check forΒ ScreenConnectΒ and uninstall it if presentΒ
Run a full security scanΒ
Change important passwords from a clean, unaffected deviceΒ
Treat βremote support toolsβ as high-risk software
Educate users:Β invitationsΒ donβtΒ come as installersΒ
This scam works by installing a legitimate remote access tool without clear user intent. Thatβs exactly the gap Malwarebytes is designed to catch.
Malwarebytes now detects newly installed remote access tools and alerts you when one appears on your system. Youβre then given a choice: confirm that the tool is expected and trusted, or remove it if it isnβt.
We donβt just report on threatsβwe remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byΒ downloading Malwarebytes today.
Loyal readers and other privacy-conscious people will be familiar with the expression, βIf itβs too good to be true, itβs probably false.β
Getting paid handsomely to scroll social media definitely falls into that category. It sounds like an easy side hustle, which usually means thereβs a catch.
In January 2026, an app called Freecash shot up to the number two spot on Appleβs free iOS chart in the US, helped along by TikTok ads that look a lot like job offers from TikTok itself. The ads promised up to $35 an hour to watch your βFor Youβ page. According to reporting, the ads didnβt promote Freecash by name. Instead, they showed a young woman expressing excitement about seemingly being βhired by TikTokβ to watch videos for money.
The landing pages featured TikTok and Freecash logos and invited users to βget paid to scrollβ and βcash out instantly,β implying a simple exchange of time for money.
Those claims were misleading enough that TikTok said the ads violated its rules on financial misrepresentation and removed some of them.
Once you install the app, the promised TikTok paycheck vanishes. Instead, Freecash routes you to a rotating roster of mobile gamesβtitles like Monopoly Go and Disney Solitaireβand offers cash rewards for completing timeβlimited inβgame challenges. Payouts range from a single cent for a few minutes of daily play up to tripleβdigit amounts if you reach high levels within a fixed period.
The whole setup is designed not to reward scrolling, as it claims, but to funnel you into games where you are likely to spend money or watch paid advertisements.
Freecashβs parent company, Berlinβbased Almedia, openly describes the platform as a way to match mobile game developers with users who are likely to install and spend. The companyβs CEO has spoken publicly about using past spending data to steer users toward the genres where theyβre most βvaluableβ to advertisers.Β
Our concern, beyond the bait-and-switch, is the privacy issue. Freecashβs privacy policy allows the automatic collection of highly sensitive information, including data about race, religion, sex life, sexual orientation, health, and biometrics. Each additional mobile game you install to chase rewards adds its own privacy policy, tracking, and telemetry. Together, they greatly increase how much behavioral data these companies can harvest about a user.
Experts warn that data brokers already trade lists of people likely to be more susceptible to scams or compulsive online behaviorβprofiles that apps like this can help refine.
Weβve previously reported on data brokers that used games and apps to build massive databases, only to later suffer breaches exposing all that data.
When asked about the ads, Freecash said the most misleading TikTok promotions were created by third-party affiliates, not by the company itself. Which is quite possible because Freecash does offer an affiliate payout program to people who promote the app online. But they made promises to review and tighten partner monitoring.
For experienced users, the pattern should feel familiar: eyeβcatching promises of easy money, a baitβandβswitch into something that takes more time and effort than advertised, and a business model that suddenly makes sense when you realize your attention and data are the real products.
If youβre curious how intrusive schemes like this can be, consider using a separate email address created specifically for testing. Avoid sharing real personal details. Many users report that once they sign up, marketing emails quickly pile up.
Some of these schemes also appeal to people who are younger or under financial pressure, offering tiny payouts while generating far more value for advertisers and app developers.
So, what can you do?
Gather information about the company youβre about to give your data. Talk to friends and relatives about your plans. Shared common sense often helps make the right decisions.
Create a separate account if you want to test a service. Use a dedicated email address and avoid sharing real personal details.
Limit information you provide online to what makes sense for the purpose. Does a game publisher need your Social Security Number? I donβt think so.
Be cautious about app installs that are framed as required to make the money initially promised, and review permissions carefully.
The LastPass Threat Intelligence, Mitigation, and Escalation (TIME) team has published a warning about an active phishing campaign in which fake βmaintenanceβ emails pressure users to back up their vaults within 24 hours. The emails lead to credential-stealing phishing sites rather than any legitimate LastPass page.
The phishing campaign that started around January 19, 2026, uses emails that falsely claim upcoming infrastructure maintenance and urge users to βbackup your vault in the next 24 hours.β
Image courtesy of LastPass
βScheduled Maintenance: Backup Recommended
As part of our ongoing commitment to security and performance, we will be conducting scheduled infrastructure maintenance on our servers. Why are we asking you to create a backup? While your data remains protected at all times, creating a local backup ensures you have access to your credentials during the maintenance window. In the unlikely event of any unforeseen technical difficulties or data discrepancies, having a recent backup guarantees your information remains secure and recoverable. We recommend this precautionary measure to all users to ensure complete peace of mind and seamless continuity of service.
Create Backup Now (link)
How to create your backup 1 Click the βCreate Backup Nowβ button above 2 Select βExport Vaultβ from you account settings 3 Download and store your encrypted backup file securelyβ
The link in the email points to mail-lastpass[.]com, a domain that doesnβt belong to LastPass and has now been taken down.
Note that there are different subject lines in use. Here is a selection:
LastPass Infrastructure Update: Secure Your Vault Now
Your Data, Your Protection: Create a Backup Before Maintenance
Donβt Miss Out: Backup Your Vault Before Maintenance
Important: LastPass Maintenance & Your Vault Security
Protect Your Passwords: Backup Your Vault (24-Hour Window)
It is imperative for users to ignore instructions in emails like these. Giving away the login details for your password manager can be disastrous. For most users, it would provide access to enough information to carry out identity theft.
Stay safe
First and foremost, itβs important to understand that LastPass will never ask for your master password or demand immediate action under a tight deadline. Generally speaking, there are more guidelines that can help you stay safe.
Donβt click on links in unsolicited emails without verifying with the trusted sender that theyβre legitimate.
Always log in directly on the platform that you are trying to access, rather than through a link.
Use a real-time, up-to-dateΒ anti-malware solutionΒ with a web protection module to block malicious sites.
Report phishing emails to the company thatβs being impersonated, so they can alert other customers. In this case emails were forwarded to abuse@lastpass.com.
Pro tip:Β Malwarebytes Scam Guard Β would have recognized this email as a scam and advised you how to proceed.
We donβt just report on threatsβwe help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your, and your familyβs, personal information by using identity protection.
If you canβt beat them, copy them. That seems to be the thinking behind an unusual campaign by the Dutch police, who set up a fake ticket website selling tickets that donβt exist.
The website, TicketBewust.nl, invites people to order tickets for events like football matches and concerns. But the offers were never real. The entire site was a deliberate sting, designed to show people how easily ticket fraud works.
The Netherlandsβ National Police created the site to warn people about ticket fraud. They worked with the Fraud Helpdesk and online marketplace Marktplaats to run ads promoting βexclusive ticketsβ for sold-out concerts. If anyone got far enough to try and buy a ticket, the fake site took them to a police webpage explaining that theyβd just interacted with a fake online shop.
People fell for these too-good-to-be-true dealsβand thatβs the most interesting part of this story. Many of us assume weβre far too savvy to fall prey to such online shenanigans, but a surprisingly large number of people do.
More than 300,000 people saw the police ads on Marktplaats between October 30, 2025, and January 11, 2026. Over 30,000 people opened opened it to take a look. 7,402 of them clicked the link to the fake site that was in the ad, and 3,432 people tried to order tickets.
Thatβs a reminder that online crime works a lot like regular ecommerce. Whether youβre selling real tickets or fake ones, itβs just a numbers game. Only a small percentage of people who see an ad will ever convertβbut even a tiny fraction can be lucrative.
In this case, around 1% of people that saw the ad took the bait, but that represents a big profit for scammers. Fake ticket sellers raked in an average of $672 per victim in the US between 2020 and 2024, according to data from the Better Business Bureau (BBB).
Why ticket fraud is so common
Dutch police get around 50,000 online fraud complaints annually, with 10% involving fake tickets. Itβs a problem in other countries too, with UK losses to gig ticket scams doubling in 2024 to Β£1.6 million (around $2.1 million).
Part of the reason fake ticket scams are so effective is that many cases never get reported. Some victims donβt think the loss is significant enough, while others simply donβt want to admit they were tricked. But thereβs another, more fundamental reason these scams work so well: the audience is already primed to buy.
People searching for tickets are usually doing so because they donβt want to miss out. Scammers lean hard into that fear of missing out (FOMO), pairing it with scarcity cues like βsold out,β βlimited availability,β or time-limited offers. People under emotional pressure from urgency and scarcity tend to do irrational things and take risks they shouldnβt. Itβs why people invest erratically or take gambles on dodgy online sales.
How to protect yourself from fake ticket sites
The advice for avoiding shady ticket sellers looks a lot like advice for avoiding scams in general:
Watch what you click on social media. Social media accounts for 52% of concert ticket fraud cases, according to the BBB data. Stick to official channels like Ticketmaster, AXS, or the venueβs box officeβand double check the URL youβre accessing.
Donβt let emotions get the better of you. Ticket sellers target high-demand events because they know people are desperate to attend and might let their guard down. Thatβs why fake ticket scams spiked after Oasis announced their reunion tour.
Donβt be fooled by support lines. Just because theyβre on the phone doesnβt mean theyβre legit.
Never pay via Zelle, Venmo, Cash App, gift cards or crypto. Use credit cards or other payment methods that offer purchase protection.
A little skepticism can go a long way when looking for sought-after tickets. So if you see an online ad offering you the seats of a lifetime, take a minute to research the seller. It could save you hundreds of dollars and a heap of disappointment.
We donβt just report on scamsβwe help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if itβs a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and weβllΒ tell you if itβs a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Thereβs a bizarre thing happening online right now where everything is getting worse.
Your Google results have become so bad that youβve likely typed what youβre looking for, plus the word βReddit,β so you can find discussion from actual humans. If you didnβt take this route, you might get served AI results from Google Gemini, which once recommended that every person should eat βat least one small rock per day.β Your Amazon results are a slog, filled with products that have surreptitiously paid reviews. Your Facebook feed could be entirely irrelevant because the company decided years ago that you didnβt want to see what your friends posted, you wanted to see what brands posted, because brands pay Facebook, and you donβt, so brands are more important than your friends.
But, according to digital rights activist and award-winning author Cory Doctorow, this wave of online deterioration isnβt an accidentβitβs a business strategy, and it can be summed up in a word he coined a couple of years ago: Enshittification.
Enshittification is the process by which an online platformβlike Facebook, Google, or Amazonβharms its own services and products for short-term gain while managing to avoid any meaningful consequences, like the loss of customers or the impact of meaningful government regulation. It begins with an online platform treating new users with care, offering services, products, or connectivity that they may not find elsewhere. Then, the platform invites businesses on board that want to sell things to those users. This means businesses become the priority and the everyday user experience is hindered. But then, in the final stage, the platform also makes things worse for its business customers, making things better only for itself.
This is how a company like Amazon went from helping you find nearly anything you wanted to buy online to helping businesses sell you anything you wanted to buy online to making those businesses pay increasingly high fees to even be discovered online. Everyone, from buyers to sellers, is pretty much entrenched in the platform, so Amazon gets to dictate the terms.
Today, on the Lock and Code podcast with host David Ruiz, we speak with Doctorow about enshittificationβs fast damage across the internet, how to fight back, and where it all started.
ββOnce these laws were established, the tech companies were able to take advantage of them. And today we have a bunch of companies that arenβt tech companies that are nevertheless using technology to rig the game in ways that the tech companies pioneered.β
Attackers are sending very convincing fake βGoogleβ emails that slip past spam filters, route victims through several trusted Google-owned services, and ultimately lead to a look-alike Microsoft 365 sign-in page designed to harvest usernames and passwords.
Researchers found that cybercriminals used Google Cloud Application IntegrationβsΒ Send EmailΒ feature to send phishing emails from a legitimate Google address:Β noreply-application-integration@google[.]com.
Google Cloud Application Integration allows users to automate business processes by connecting any application with point-and-click configurations. New customers currently receive free credits, which lowers the barrier to entry and may attract some cybercriminals.
The initial email arrives from what looks like a real Google address and references something routine and familiar, such as a voicemail notification, a task to complete, or permissions to access a document. The email includes a link that points to a genuine Google Cloud Storage URL, so the web address appears to belong to Google and doesnβt look like an obvious fake.
After the first click, you are redirected to another Googleβrelated domain (googleusercontent[.]com) showing a CAPTCHA or image check. Once you pass the βIβm not a robot check,β you land on what looks like a normal Microsoft 365 signβin page, but on close inspection, the web address is not an official Microsoft domain.
Any credentials provided on this site will be captured by the attackers.
The use of Google infrastructure provides the phishers with a higher level of trust from both email filters and the receiving users. This is not a vulnerability, just an abuse of cloud-based services that Google provides.
Googleβs response
Google said it has taken action against the activity:
βWe have blocked several phishing campaigns involving the misuse of an email notification feature within Google Cloud Application Integration. Importantly, this activity stemmed from the abuse of a workflow automation tool, not a compromise of Googleβs infrastructure. While we have implemented protections to defend users against this specific attack, we encourage continued caution as malicious actors frequently attempt to spoof trusted brands. We are taking additional steps to prevent further misuse.β
Weβve seen several phishing campaigns that abuse trusted workflows from companies like Google, PayPal, DocuSign, and other cloud-based service providers to lend credibility to phishing emails and redirect targets to their credential-harvesting websites.
How to stay safe
Campaigns like these show that some responsibility for spotting phishing emails still rests with the recipient. Besides staying informed, here are some other tips you can follow to stay safe.
Always check theΒ actual web addressΒ of any login page; if itβs not a genuine Microsoft domain, do not enter credentials.β Using a password manager will help because they will not auto-fill your details on fake websites.
Be cautious of βurgentβ emails about voicemails, document shares, or permissions, even if they appear to come from Google or Microsoft.β Creating urgency is a common tactic by scammers and phishers.
Go directly to the service whenever possible. Instead of clicking links in emails, open OneDrive, Teams, or Outlook using your normal bookmark or app.
Use multiβfactor authentication (MFA) so that stolen passwords alone are not enough, and regularly review which apps have access to your account and remove anything you donβt recognize.
Pro tip:Β Malwarebytes Scam Guard can recognize emails like this as scams.Β You can upload suspicious text, emails, attachments and other files and ask for its opinion. Itβs really very good at recognizing scams.
We donβt just report on scamsβwe help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if itβs a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and weβllΒ tell you if itβs a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
In August 2025, we discovered a campaign targeting individuals in Turkey with a new Android banking Trojan we dubbed βFrogblightβ. Initially, the malware was disguised as an app for accessing court case files via an official government webpage. Later, more universal disguises appeared, such as the Chrome browser.
Frogblight can use official government websites as an intermediary step to steal banking credentials. Moreover, it has spyware functionality, such as capabilities to collect SMS messages, a list of installed apps on the device and device filesystem information. It can also send arbitrary SMS messages.
Another interesting characteristic of Frogblight is that weβve seen it updated with new features throughout September. This may indicate that a feature-rich malware app for Android is being developed, which might be distributed under the MaaS model.
This threat is detected by Kaspersky products as HEUR:Trojan-Banker.AndroidOS.Frogblight.*, HEUR:Trojan-Banker.AndroidOS.Agent.eq, HEUR:Trojan-Banker.AndroidOS.Agent.ep, HEUR:Trojan-Spy.AndroidOS.SmsThief.de.
Technical details
Background
While performing an analysis of mobile malware we receive from various sources, we discovered several samples belonging to a new malware family. Although these samples appeared to be still under development, they already contained a lot of functionality that allowed this family to be classified as a banking Trojan. As new versions of this malware continued to appear, we began monitoring its development. Moreover, we managed to discover its control panel and based on the βfr0gβ name shown there, we dubbed this family βFrogblightβ.
Initial infection
We believe that smishing is one of the distribution vectors for Frogblight, and that the users had to install the malware themselves. On the internet, we found complaints from Turkish users about phishing SMS messages convincing users that they were involved in a court case and containing links to download malware. versions of Frogblight, including the very first ones, were disguised as an app for accessing court case files via an official government webpage and were named the same as the files for downloading from the links mentioned above.
While looking for online mentions of the names used by the malware, we discovered one of the phishing websites distributing Frogblight, which disguises itself as a website for viewing a court file.
The phishing website distributing Frogblight
We were able to open the admin panel of this website, where it was possible to view statistics on Frogblight malware downloads. However, the counter had not been fully implemented and the threat actor could only view the statistics for their own downloads.
The admin panel interface of the website from which Frogblight is downloaded
Additionally, we found the source code of this phishing website available in a public GitHub repository. Judging by its description, it is adapted for fast deployment to Vercel, a platform for hosting web apps.
The GitHub repository with the phishing website source code
App features
As already mentioned, Frogblight was initially disguised as an app for accessing court case files via an official government webpage. Letβs look at one of the samples using this disguise (9dac23203c12abd60d03e3d26d372253). For analysis, we selected an early sample, but not the first one discovered, in order to demonstrate more complete Frogblight functionality.
After starting, the app prompts the victim to grant permissions to send and read SMS messages, and to read from and write to the deviceβs storage, allegedly needed to show a court file related to the user.
The full list of declared permissions in the app manifest file is shown below:
MANAGE_EXTERNAL_STORAGE
READ_EXTERNAL_STORAGE
WRITE_EXTERNAL_STORAGE
READ_SMS
RECEIVE_SMS
SEND_SMS
WRITE_SMS
RECEIVE_BOOT_COMPLETED
INTERNET
QUERY_ALL_PACKAGES
BIND_ACCESSIBILITY_SERVICE
DISABLE_KEYGUARD
FOREGROUND_SERVICE
FOREGROUND_SERVICE_DATA_SYNC
POST_NOTIFICATIONS
QUICKBOOT_POWERON
RECEIVE_MMS
RECEIVE_WAP_PUSH
REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
SCHEDULE_EXACT_ALARM
USE_EXACT_ALARM
VIBRATE
WAKE_LOCK
ACCESS_NETWORK_STATE
READ_PHONE_STATE
After all required permissions are granted, the malware opens the official government webpage for accessing court case files in WebView, prompting the victim to sign in. There are different sign-in options, one of them via online banking. If the user chooses this method, they are prompted to click on a bank whose online banking app they use and fill out the sign-in form on the bankβs official website. This is what Frogblight is after, so it waits two seconds, then opens the online banking sign-in method regardless of the userβs choice. For each webpage that has finished loading in WebView, Frogblight injects JavaScript code allowing it to capture user input and send it to the C2 via a REST API.
The malware also changes its label to βDavalarΔ±mβ if the Android version is newer than 12; otherwise it hides the icon.
The app icon before (left) and after launching (right)
In the sample we review in this section, Frogblight uses a REST API for C2 communication, implemented using the Retrofit library. The malicious app pings the C2 server every two seconds in foreground, and if no error is returned, it calls the REST API client methods fetchOutbox and getFileCommands. Other methods are called when specific events occur, for example, after the device screen is turned on, the com.capcuttup.refresh.PersistentService foreground service is launched, or an SMS is received. The full list of all REST API client methods with parameters and descriptions is shown below.
REST API client method
Description
Parameters
fetchOutbox
Request message content to be sent via SMS or displayed in a notification
device_id: unique Android device ID
ackOutbox
Send the results of processing a message received after calling the API method fetchOutbox
device_id: unique Android device ID
msg_id: message ID
status: message processing status
error: message processing error
getAllPackages
Request the names of app packages whose launch should open a website in WebView to capture user input data
action: same as the API method name
getPackageUrl
Request the website URL that will be opened in WebView when the app with the specified package name is launched
action: same as the API method name
package: the package name of the target app
getFileCommands
Request commands for file operations
Available commands:
βΒ Β Β Β Β Β download: upload the target file to the C2
βΒ Β Β Β Β Β generate_thumbnails: generate thumbnails from the image files in the target directory and upload them to the C2
βΒ Β Β Β Β Β list: send information about all files in the target directory to the C2
βΒ Β Β Β Β Β thumbnail: generate a thumbnail from the target image file and upload it to the C2
device_id: unique Android device ID
pingDevice
Check the C2 connection
device_id: unique Android device ID
reportHijackSuccess
Send captured user input data from the website opened in a WebView when the app with the specified package name is launched
action: same as the API method name
package: the package name of the target app
data: captured user input data
saveAppList
Send information about the apps installed on the device
device_id: unique Android device ID app_list: a list of apps installed on the device
app_count: a count of apps installed on the device
saveInjection
Send captured user input data from the website opened in a WebView. If it was not opened following the launch of the target app, the app_name parameter is determined based on the opened URL
device_id: unique Android device ID app_name: the package name of the target app
form_data: captured user input data
savePermission
Unused but presumably needed for sending information about permissions
device_id: unique Android device ID permission_type: permission type
status: permission status
sendSms
Send information about an SMS message from the device
device_id: unique Android device ID sender: the senderβs/recipientβs phone number
message: message text
timestamp: received/sent time
type: message type (inbox/sent)
sendTelegramMessage
Send captured user input data from the webpages opened by Frogblight in WebView
device_id: unique Android device ID
url: website URL
title: website page title
input_type: the type of user input data
input_value: user input data
final_value: user input data with additional information
timestamp: the time of data capture
ip_address: user IP address
sms_permission: whether SMS permission is granted
file_manager_permission: whether file access permission is granted
updateDevice
Send information about the device
device_id: unique Android device ID
model: device manufacturer and model
android_version: Android version
phone_number: user phone number
battery: current battery level
charging: device charging status
screen_status: screen on/off
ip_address: user IP address
sms_permission: whether SMS permission is granted
file_manager_permission: whether file access permission is granted
updatePermissionStatus
Send information about permissions
device_id: unique Android device ID
permission_type: permission type
status: permission status
timestamp: current time
uploadBatchThumbnails
Upload thumbnails to the C2
device_id: unique Android device ID
thumbnails: thumbnails
uploadFile
Upload a file to the C2
device_id: unique Android device ID
file_path: file path
download_id: the file ID on the C2
The file itself is sent as an unnamed parameter
uploadFileList
Send information about all files in the target directory
device_id: unique Android device ID
path: directory path
file_list: information about the files in the target directory
uploadFileListLog
Send information about all files in the target directory to an endpoint different from uploadFileList
device_id: unique Android device ID
path: directory path
file_list: information about the files in the target directory
uploadThumbnailLog
Unused but presumably needed for uploading thumbnails to an endpoint different from uploadBatchThumbnails
device_id: unique Android device ID
thumbnails: thumbnails
Remote device control, persistence, and protection against deletion
The app includes several classes to provide the threat actor with remote access to the infected device, gain persistence, and protect the malicious app from being deleted.
capcuttup.refresh.AccessibilityAutoClickService
This is intended to prevent removal of the app and to open websites specified by the threat actor in WebView upon target apps startup. It is present in the sample we review, but is no longer in use and deleted in further versions.
capcuttup.refresh.PersistentService
This is a service whose main purpose is to interact with the C2 and to make malicious tasks persistent.
capcuttup.refresh.BootReceiver
This is a broadcast receiver responsible for setting up the persistence mechanisms, such as job scheduling and setting alarms, after device boot completion.
Further development
In later versions, new functionality was added, and some of the more recent Frogblight variants disguised themselves as the Chrome browser. Letβs look at one of the fake Chrome samples (d7d15e02a9cd94c8ab00c043aef55aff).
In this sample, new REST API client methods have been added for interacting with the C2.
REST API client method
Description
Parameters
getContactCommands
Get commands to perform actions with contacts
Available commands:
βΒ Β Β Β Β Β ADD_CONTACT: add a contact to the user device
βΒ Β Β Β Β Β DELETE_CONTACT: delete a contact from the user device
βΒ Β Β Β Β Β EDIT_CONTACT: edit a contact on the user device
device_id: unique Android device ID
sendCallLogs
Send call logs to the C2
device_id: unique Android device ID
call_logs: call log data
sendNotificationLogs
Send notifications log to the C2. Not fully implemented in this sample, and as of the time of writing this report, we hadnβt seen any samples with a full-fledged implementation of this API method
action: same as the API method name
notifications: notification log data
Also, the threat actor had implemented a custom input method for recording keystrokes to a file using the com.puzzlesnap.quickgame.CustomKeyboardService service.
Another Frogblight sample we observed trying to avoid emulators and using geofencing techniques is 115fbdc312edd4696d6330a62c181f35. In this sample, Frogblight checks the environment (for example, device model) and shuts down if it detects an emulator or if the device is located in the United States.
Part of the code responsible for avoiding Frogblight running in an undesirable environment
Later on, the threat actor decided to start using a web socket instead of the REST API. Letβs see an example of this in one of the recent samples (08a3b1fb2d1abbdbdd60feb8411a12c7). This sample is disguised as an app for receiving social support via an official government webpage. The feature set of this sample is very similar to the previous ones, with several new capabilities added. Commands are transmitted over a web socket using the JSON format. A command template is shown below:
It is also worth noting that some commands in this version share the same meaning but have different structures, and the functionality of certain commands has not been fully implemented yet. This indicates that Frogblight was under active development at the time of our research, and since no its activity was noticed after September, it is possible that the malware is being finalized to a fully operational state before continuing to infect usersβ devices. A full list of commands with their parameters and description is shown below:
Command
Description
Parameters
connect
Send a registration message to the C2
β
connection_success
Send various information, such as call logs, to the C2; start pinging the C2 and requesting commands
β
auth_error
Log info about an invalid login key to the Android log system
β
pong_device
Does nothing
β
commands_list
Execute commands
List of commands
sms_send_command
Send an arbitrary SMS message
recipient: message destination
message: message text
msg_id: message ID
bulk_sms_command
Send an arbitrary SMS message to multiple recipients
recipients: message destinations
message: message text
get_contacts_command
Send all contacts to the C2
β
get_app_list_command
Send information about the apps installed on the device to the C2
β
get_files_command
Send information about all files in certain directories to the C2
β
get_call_logs_command
Send call logs to the C2
β
get_notifications_command
Send a notifications log to the C2. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadnβt seen any samples with a full-fledged implementation of this command
β
take_screenshot_command
Take a screenshot. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadnβt seen any samples with a full-fledged implementation of this command
β
update_device
Send registration message to the C2
β
new_webview_data
Collect WebView data. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadnβt seen any samples with a full-fledged implementation of this command
β
new_injection
Inject code. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadnβt seen any samples with a full-fledged implementation of this command
code: injected code
target_app: presumably the package name of the target app
add_contact_command
Add a contact to the user device
name: contact name
phone: contact phone
email: contact email
contact_add
Add a contact to the user device
display_name: contact name
phone_number: contact phone
email: contact email
contact_delete
Delete a contact from the user device
phone_number: contact phone
contact_edit
Edit a contact on the user device
display_name: new contact name
phone_number: contact phone
email: new contact email
contact_list
Send all contacts to the C2
β
file_list
Send information about all files in the specified directory to the C2
path: directory path
file_download
Upload the specified file to the C2
file_path: file path
download_id: an ID that is received with the command and sent back to the C2 along with the requested file. Most likely, this is used to organize data on the C2
file_thumbnail
Generate a thumbnail from the target image file and upload it to the C2
file_path: image file path
file_thumbnails
Generate thumbnails from the image files in the target directory and upload them to the C2
folder_path: directory path
health_check
Send information about the current device state: battery level, screen state, and so on
β
message_list_request
Send all SMS messages to the C2
β
notification_send
Show an arbitrary notification
title: notification title
message: notification message
app_name: notification subtext
package_list_response
Save the target package names
packages: a list of all target package names.
Each list element contains:
package_name: target package name
active: whether targeting is active
delete_contact_command
Delete a contact from the user device. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadnβt seen any samples with a full-fledged implementation of this command
contact_id: contact ID
name: contact name
file_upload_command
Upload specified file to the C2. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadnβt seen any samples with a full-fledged implementation of this command
file_path: file path
file_name: file name
file_download_command
Download file to user device. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadnβt seen any samples with a full-fledged implementation of this command
file_url: the URL of the file to download
download_path: download path
download_file_command
Download file to user device. This is not fully implemented in the sample at hand, and as of the time of writing this report, we hadnβt seen any samples with a full-fledged implementation of this command
file_url: the URL of the file to download
download_path: downloading path
get_permissions_command
Send a registration message to the C2, including info about specific permissions
β
health_check_command
Send information about the current device state, such as battery level, screen state, and so on
β
connect_error
Log info about connection errors to the Android log system
A list of errors
reconnect
Send a registration message to the C2
β
disconnect
Stop pinging the C2 and requesting commands from it
β
Authentication via WebSocket takes place using a special key.
The part of the code responsible for the WebSocket authentication logic
At the IP address to which the WebSocket connection was made, the Frogblight web panel was accessible, which accepted the authentication key mentioned above. Since only samples using the same key as the webpanel login are controllable through it, we suggest that Frogblight might be distributed under the MaaS model.
The interface of the sign-in screen for the Frogblight web panel
Judging by the menu options, the threat actor can sort victimsβ devices by certain parameters, such as the presence of banking apps on the device, and send bulk SMS messages and perform other mass actions.
Victims
Since some versions of Frogblight opened the Turkish government webpage to collect user-entered data on Turkish banksβ websites, we assume with high confidence that it is aimed mainly at users from Turkey. Also, based on our telemetry, the majority of users attacked by Frogblight are located in that country.
Attribution
Even though it is not possible to provide an attribution to any known threat actor based on the information available, during our analysis of the Frogblight Android malware and the search for online mentions of the names it uses, we discovered a GitHub profile containing repos with Frogblight, which had also created repos with Coper malware, distributed under the MaaS model. It is possible that this profile belongs to the attackers distributing Coper who have also started distributing Frogblight.
GitHub repositories containing Frogblight and Coper malware
Also, since the comments in the Frogblight code are written in Turkish, we believe that its developers speak this language.
Conclusions
The new Android malware we dubbed βFrogblightβ appeared recently and targets mainly users from Turkey. This is an advanced banking Trojan aimed at stealing money. It has already infected real usersβ devices, and it doesnβt stop there, adding more and more new features in the new versions that appear. It can be made more dangerous by the fact that it may be used by attackers who already have experience distributing malware. We will continue to monitor its development.
In Part 2, weβre diving headfirst into one of the most critical attack surfaces in the LLM ecosystem - Prompt Injection: The AI version of talking your way past the bouncer.
Many people have heard of ChatGPT, Gemini, Bart, Claude, Llama, or other artificial intelligence (AI) assistants at this point. These are all implementations of what are known as large language [β¦]
This blog will be referencing the ICS/OT Backdoors & Breaches expansion deck created by BHIS and Dragos. We will be reviewing the ICS-focused Initial Compromise cards that are used to simulate a cyber incident and suggest potential mitigations to what is presented.
by Austin Kaiser // Intern Hacking a satellite is not a new thing. Satellites have been around since 1957. The first satellite launched was called Sputnik 1 and was launched [β¦]
Quick Jump: In the constantly evolving landscape of cybersecurity, it is common to see features designed for convenience lead to negative cybersecurity consequences. Microsoft Teams, an essential tool for corporate [β¦]
Lost in Transition: A Timeline of Failed Successors to Breach and Raid Forums
The legacy of Raid, Breach, and their βsuccessorsβ provides an important lens into how data breach communities function and the real-life implications of the information they traffic
Starting June 24, 2023, visitors to the former domain of Raid Forums were greeted by the avatar of arrested administrator βpompompurinβ in tiny handcuffsβan unprecedented trolling of sorts by authorities.Β
Pompompurin, whose real name is Conor Brian Fitzpatrick, became a highly reputable threat actor on the now-defunct top-tier hacking forum Raid Forums and upon its shutdown, founded Breach Forums. Breach Forums continued the legacy of Raid Forums, both as a fixture among the data breach communities and as a law enforcement target.Β
The founder and administrator of Raid Forums, Diogo Santos Coelho (aka βomnipotent), was arrested on January 31, 2022. Fitzpatrick, who has been operating on English- and Russian-language forums under the pompompurin moniker since at least October 2020, was arrested by federal agents on March 15, 2023.
Now, both Raid Forums and Breach Forums are no more. And ever since their seizures, other threat actors, some of whom were involved in the Breach and Raid, have attempted to continue their legacies in the purpose and services they provide. But it has thus far been a race to the bottom.Β
Insight into the illicit spaces where cyber threat actors operate is vital to any threat intelligence operation. The legacy of Raid, Breach, and their βsuccessorsβ provides an important lens into how data breach communities function and the real-life implications of the information they traffic.Β
Relatedreading
Another One Bites the Dust: The (Apparent) End of Breach Forums
Here is a summary of the recent events that we have observed within cybercriminal communities related, in some way, to Breach Forums and its legacy as a popular home for threat actors.Β
March 17, 2023: Breach Forums administrator βbaphometβ decides to shut down the forum following the March 15 arrest of administrator pompompurin. The Washington Post included Flashpoint analysis in its March 22 coverage on the end of Breach Forums.
March 29, 2023: PwnedForum, an identically formatted clone of Breach Forums, launches and quickly gains users and shares compromised data. The forumβs creator, βSinistery,β solicited forum administrators and developers to volunteer to operate the site.Β
However, the forum was quickly shut down on April 4, 2023, following a disagreement between Sinistery and forum administrators. A message attempting to sell PwnedForum was briefly advertised on the website before closing. One of the forumβs former main administrators, βFrost,β stated that they were working on a new forum separate from PwnedForum, though they did not provide a timeline.
May 29, 2023: βImpotent,β the forum administrator Exposed, leaks the database of 478,870 Raid Forums users.
June 4, 2023: PwnedForums posted on Telegram that the notorious leak collective, ShinyHunters, is launching a forum with former Breach Forums admins.
Also on June 4, a user posted an advertisement for the Exposed forum, calling it the βnewβ Breach Forums and inviting the Russian hacktivist collective Killnet to join the forum.
June 12, 2023: ShinyHunters launches a new forum called Breach Forumsβeponymous by name only.
That very same day, Exposed Forums shut down. Its founders, βImpotentβ and βPurism,β share that they will no longer support the development of Exposed Forums while cautioning against using the new Breach Forums due to operational security concerns.
June 18, 2023: Breach Forums is hacked, and the data breach exposes the personal information of over 4,000 registered members.
OnniForums, which appears to have launched in April 2023, took responsibility for the attack. It also claimed to have breached the forum Exposed, using a zero-day vulnerability in the open source forum software MyBB. The data leak included login keys, usernames, email addresses, IP addresses, password hashes, registration dates, membersβ last visits and posts, number of posts, last activity, and social media handles with profile links.
June 24, 2023: The user database of DarkForums, a relatively new and unknown forum, is breached and leaked, joining the ranks of Raid Forums and the new Breach Forums.Β
Though it is difficult to assess if any of these forums will sufficiently fill the void of the data breach communities that Raid Forums provided, threat actors continue to start new darknet venuesβa perpetual cycle that shows the resiliency of illicit communities and forums, despite law enforcement, in-fighting, and the adversarial nature of these communities that lends itself to, well, data breaches. Though there may not be a centralized venue for data breaches, it will not be for a lack of trying β¦ even if it means leaking the databases of their competitors.
Get Flashpoint on your side
Flashpointβs suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with aΒ free Flashpoint trial.
Raymond Felch // Preface: I began my exploration of reverse-engineering firmware a few weeks back (see βJTAG β Micro-Controller Debuggingβ), and although I made considerable progress finding and identifying the [β¦]