Canis C2 Exposed: Previously Undocumented Cross-Platform ...
On March 19, a researcher on X posted a suspicious Android APK tied to a phishing page impersonating Paidy, a Japanese buy-now-pay-later service. A quick look at the infrastructure behind it revealed an unauthenticated API sitting wide open, with endpoints exposing payloads, command logs, and the C2 source code itself. The server wasn't running a simple credential harvester. Agents for Android, iOS, Windows, Linux, and macOS were present, alongside a canvas-based device fingerprinting system and code that references iOS sandboxing mechanisms by name. The actor behind it is clearly comfortable with Japanese, and large portions of the codebase show signs of LLM-assisted development.
AI Analysis
Technical Summary
The Canis C2 infrastructure was exposed due to an unauthenticated API that publicly disclosed sensitive components such as payloads, command logs, and the C2 source code. This cross-platform surveillance and infostealer framework targets multiple operating systems and includes sophisticated fingerprinting and sandbox evasion techniques. The campaign was identified through a phishing APK linked to a fake Paidy service. The actor's use of Japanese language and LLM-assisted code development is noted. There is no CVE or vendor advisory associated with this threat, and no patch or fix has been documented.
Potential Impact
Exposure of the Canis C2 server's unauthenticated API allows potential attackers or researchers to access payloads, command logs, and source code, which could facilitate reverse engineering or unauthorized use of the framework. The multi-platform nature of the agents increases the potential attack surface across Android, iOS, Windows, Linux, and macOS devices. The phishing campaign may lead to credential theft or device compromise if users interact with the malicious APK or phishing pages. However, no active exploitation or widespread incidents have been confirmed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory or threat intelligence sources for current remediation guidance. Organizations should monitor for indicators of compromise related to this campaign, including the listed domains, URLs, and file hashes. Since the API was exposed due to misconfiguration, operators of similar infrastructure should ensure proper authentication and access controls are in place to prevent unauthorized exposure. No official fix or mitigation has been published by a vendor for this threat.
Indicators of Compromise
- hash: 01813833afbe76f6968b7982528ce783
- hash: c860bf65930b4bb956c3f7bee999f7a5dcfdb3b3
- hash: 564b381dc3e6fc737fd9b46fb5ee1e06f4e333d2886f0805514af44947a4c271
- hash: f8e9a720468c89f191d8cb12d46d81ef67b87a9ef95a307835c556a0885bd181
- url: http://info-payeasy.com/assets/index-DdmV8luQ.js
- url: http://info-payeasy.com/pages/overview.html
- domain: americanexpress-site.com
- domain: android-protect.com
- domain: applesecurity.pro
- domain: devicesecurity.pro
- domain: info-payeasy.com
- domain: ios-deviceprotect.com
Canis C2 Exposed: Previously Undocumented Cross-Platform ...
Description
On March 19, a researcher on X posted a suspicious Android APK tied to a phishing page impersonating Paidy, a Japanese buy-now-pay-later service. A quick look at the infrastructure behind it revealed an unauthenticated API sitting wide open, with endpoints exposing payloads, command logs, and the C2 source code itself. The server wasn't running a simple credential harvester. Agents for Android, iOS, Windows, Linux, and macOS were present, alongside a canvas-based device fingerprinting system and code that references iOS sandboxing mechanisms by name. The actor behind it is clearly comfortable with Japanese, and large portions of the codebase show signs of LLM-assisted development.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Canis C2 infrastructure was exposed due to an unauthenticated API that publicly disclosed sensitive components such as payloads, command logs, and the C2 source code. This cross-platform surveillance and infostealer framework targets multiple operating systems and includes sophisticated fingerprinting and sandbox evasion techniques. The campaign was identified through a phishing APK linked to a fake Paidy service. The actor's use of Japanese language and LLM-assisted code development is noted. There is no CVE or vendor advisory associated with this threat, and no patch or fix has been documented.
Potential Impact
Exposure of the Canis C2 server's unauthenticated API allows potential attackers or researchers to access payloads, command logs, and source code, which could facilitate reverse engineering or unauthorized use of the framework. The multi-platform nature of the agents increases the potential attack surface across Android, iOS, Windows, Linux, and macOS devices. The phishing campaign may lead to credential theft or device compromise if users interact with the malicious APK or phishing pages. However, no active exploitation or widespread incidents have been confirmed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory or threat intelligence sources for current remediation guidance. Organizations should monitor for indicators of compromise related to this campaign, including the listed domains, URLs, and file hashes. Since the API was exposed due to misconfiguration, operators of similar infrastructure should ensure proper authentication and access controls are in place to prevent unauthorized exposure. No official fix or mitigation has been published by a vendor for this threat.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://hunt.io/blog/canis-c2-exposed-cross-platform-surveillance-framework-japan"]
- Adversary
- null
- Pulse Id
- 69d6a7cc78297c29949500de
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash01813833afbe76f6968b7982528ce783 | — | |
hashc860bf65930b4bb956c3f7bee999f7a5dcfdb3b3 | — | |
hash564b381dc3e6fc737fd9b46fb5ee1e06f4e333d2886f0805514af44947a4c271 | — | |
hashf8e9a720468c89f191d8cb12d46d81ef67b87a9ef95a307835c556a0885bd181 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://info-payeasy.com/assets/index-DdmV8luQ.js | — | |
urlhttp://info-payeasy.com/pages/overview.html | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainamericanexpress-site.com | — | |
domainandroid-protect.com | — | |
domainapplesecurity.pro | — | |
domaindevicesecurity.pro | — | |
domaininfo-payeasy.com | — | |
domainios-deviceprotect.com | — |
Threat ID: 69d7e6f61cc7ad14dafe7e61
Added to database: 4/9/2026, 5:50:46 PM
Last enriched: 4/9/2026, 6:06:29 PM
Last updated: 4/10/2026, 5:43:02 AM
Views: 28
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.