Reddit NetSec

AlienVault OTX General

CVE Database V5

Reddit InfoSec News

Exploit-DB RSS Feed

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A sophisticated Android banking trojan named RedHook has been discovered targeting Vietnamese users through spoofed government and financial websites. The malware uses WebSocket to communicate with its command-and-control server and supports over 30 remote commands, enabling complete control over compromised devices. RedHook combines phishing, RAT, and keylogging capabilities to exfiltrate credentials and conduct fraud. It abuses Android's MediaProjection API for screen capture and sends data to a live C2 server. The malware's low antivirus detection rate makes it a stealthy and active threat. Code artifacts suggest development by a Chinese-speaking threat actor or group. An exposed AWS S3 bucket revealed operational data dating back to November 2024, indicating a shift from previous scam campaigns to this advanced banking trojan.

RedHook is a sophisticated Android banking Trojan specifically targeting users in Vietnam by leveraging spoofed government and financial websites to lure victims. The malware establishes communication with its command-and-control (C2) infrastructure using WebSocket protocol, which allows for persistent, real-time bi-directional communication. RedHook supports over 30 remote commands, granting attackers extensive control over infected devices. Its capabilities include phishing to deceive users into divulging sensitive information, Remote Access Trojan (RAT) functionalities to control devices remotely, and keylogging to capture user input such as credentials. Notably, RedHook abuses Android's MediaProjection API to capture screen content stealthily, sending this data live to the C2 server, which enhances its ability to harvest sensitive information beyond just keystrokes. The malware maintains a low detection rate by antivirus solutions, increasing its stealth and persistence. Code analysis indicates the threat actor or group behind RedHook is likely Chinese-speaking, and operational data exposed via an unsecured AWS S3 bucket reveals that the campaign has been active since at least November 2024. This marks a strategic shift from previous scam campaigns to a more advanced and targeted banking Trojan. Indicators of compromise include multiple file hashes and suspicious domains associated with the malware's infrastructure.

Detailed information about RedHook: A New Android Banking Trojan Targeting Users In Vietnam. Get real-time updates, technical details, and mitigation strategies

RedHook: A New Android Banking Trojan Targeting Users In Vietnam - Live Threat Intelligence - Threat Radar | OffSeq.com

RedHook: A New Android Banking Trojan Targeting Users In Vietnam

Hive0131 is conducting email campaigns targeting users in Colombia with fake electronic notifications of criminal proceedings, purportedly from The Judiciary of Colombia. The campaigns deliver DCRat, a banking trojan operated as Malware-as-a-Service, through embedded links or PDF lures. DCRat's presence has increased in Latin America since 2024. The infection chain involves downloading a loader called VMDetectLoader, which uses process hollowing to inject DCRat into memory. VMDetectLoader can detect virtual machines and create persistence through scheduled tasks or registry keys. DCRat has various capabilities including recording victims, file manipulation, and keystroke logging. IBM X-Force assesses that Latin America will continue facing targeting from actors deploying banking trojans via phishing campaigns.

The threat involves a sophisticated phishing campaign conducted by the threat actor Hive0131, primarily targeting users in Colombia with fake electronic notifications purportedly from The Judiciary of Colombia. These phishing emails contain embedded links or PDF attachments designed to lure victims into downloading a loader named VMDetectLoader. This loader employs advanced evasion techniques, including virtual machine detection to avoid sandbox analysis, and uses process hollowing to inject the DCRat banking trojan directly into memory. This in-memory injection minimizes the malware's disk footprint, helping it evade traditional antivirus detection. VMDetectLoader also establishes persistence on infected systems through scheduled tasks or registry key modifications. DCRat itself is a Malware-as-a-Service (MaaS) banking trojan with a broad range of capabilities such as keystroke logging, file manipulation, and recording victim activity, enabling attackers to steal sensitive financial credentials and other confidential information. The infection chain leverages multiple MITRE ATT&CK techniques including T1566 (phishing), T1055 (process hollowing), T1547 (persistence), and T1056 (input capture), indicating a multi-stage, sophisticated attack. Although currently focused on Latin America, particularly Colombia, the modularity and MaaS model of DCRat suggest potential for expansion to other regions. Indicators of compromise include specific malicious domains (e.g., feb18.freeddns.org) and file hashes associated with the loader and trojan components. No known public exploits exist, but the campaign’s reliance on social engineering and evasion techniques makes it a persistent and evolving threat vector.

Detailed information about Threat Analysis: DCRat presence growing in Latin America. Get real-time updates, technical details, and mitigation strategies.

Threat Analysis: DCRat presence growing in Latin America - Live Threat Intelligence - Threat Radar | OffSeq.com

Threat Analysis: DCRat presence growing in Latin America

A new Android banking Trojan, Crocodilus, has rapidly evolved since its discovery in March 2025. Initially targeting Turkey, it has expanded to European countries and South America. The malware is distributed through malicious advertising on social networks, masquerading as banking and e-commerce apps. Recent developments include improved obfuscation techniques, the ability to add contacts to the victim's device, and an enhanced seed phrase collector for cryptocurrency wallets. Campaigns have been observed targeting users in Poland, Spain, and multiple global locations. The malware's sophistication and expanding reach indicate a well-organized threat actor, posing an increasing risk to users and organizations worldwide.

Crocodilus is a recently identified Android banking Trojan first discovered in March 2025. Initially targeting users in Turkey, it has rapidly expanded its reach to European countries such as Poland and Spain, as well as regions in South America. The malware is primarily distributed via malvertising campaigns on social networks, where it masquerades as legitimate banking and e-commerce applications to deceive users into installing it. Technically, Crocodilus employs advanced obfuscation techniques (MITRE ATT&CK T1027 and T1027.002) to evade detection by security solutions, making it difficult to identify and remove. It has evolved to include capabilities such as adding contacts to the victim's device, which can facilitate further social engineering or propagation within a victim's network. Additionally, it features an enhanced seed phrase collector designed to steal cryptocurrency wallet credentials, significantly increasing the potential financial impact on victims. The malware targets both traditional banking credentials and cryptocurrency assets, indicating a dual-purpose threat. Indicators of compromise include specific file hashes and malicious domains (rentvillcr.homes, rentvillcr.online) linked to its infrastructure. The campaign's rapid expansion and technical sophistication suggest a well-resourced and organized threat actor capable of maintaining and evolving the malware quickly, posing a growing risk to users and organizations relying on Android devices for financial transactions and cryptocurrency management.

Detailed information about Crocodilus Mobile Malware: Evolving Fast, Going Global. Get real-time updates, technical details, and mitigation strategies.

Crocodilus Mobile Malware: Evolving Fast, Going Global - Live Threat Intelligence - Threat Radar | OffSeq.com

Crocodilus Mobile Malware: Evolving Fast, Going Global

Zanubis is an evolving Android banking Trojan that emerged in 2022, targeting financial institutions in Peru before expanding to virtual cards and crypto wallets. It impersonates legitimate apps to trick users into granting accessibility permissions, enabling extensive data theft and device control. The malware has undergone significant development, incorporating features like SMS hijacking, screen recording, and device credential stealing. Recent versions show improved obfuscation, encryption, and silent installation techniques. The threat actors, likely based in Peru, continue to refine the malware's capabilities and targeting strategy, focusing on high-value financial targets in the region.

Zanubis is a sophisticated Android banking Trojan first identified in 2022, initially targeting financial institutions in Peru. Over time, it has evolved to expand its attack surface to include virtual cards and cryptocurrency wallets, reflecting a strategic shift to high-value digital assets. The malware operates by impersonating legitimate applications to deceive users into granting accessibility permissions. These permissions are critical as they allow Zanubis to perform extensive data theft and device control operations. Key technical capabilities of Zanubis include SMS hijacking, which enables interception and manipulation of text messages often used in two-factor authentication; screen recording to capture sensitive user interactions; and stealing device credentials to facilitate unauthorized access to financial accounts. Recent iterations of Zanubis demonstrate enhanced obfuscation and encryption techniques, making detection and analysis more challenging for security tools. Additionally, the Trojan employs silent installation methods to avoid user suspicion and maintain persistence on infected devices. The threat actors behind Zanubis are believed to be based in Peru and continue to refine the malware’s capabilities and targeting strategies, focusing on high-value financial targets within their region. Although Zanubis has not been reported to exploit known vulnerabilities or have publicly available exploits, its evolving feature set and stealth techniques make it a persistent threat to Android users involved in financial transactions, particularly in Latin America.

Detailed information about Evolution of Zanubis, a banking Trojan for Android. Get real-time updates, technical details, and mitigation strategies.

Evolution of Zanubis, a banking Trojan for Android - Live Threat Intelligence - Threat Radar | OffSeq.com

Evolution of Zanubis, a banking Trojan for Android

The infostealer Danabot has been disrupted in a multinational law enforcement operation. ESET has been tracking Danabot since 2018, contributing to the effort by providing technical analyses and identifying C&C servers. Danabot operates as a malware-as-a-service, offering various features like data theft, keylogging, and remote control. It has been used to distribute additional malware, including ransomware. The malware's authors promote their toolset through underground forums, providing affiliates with an administration panel, backconnect tool, and proxy server application. Distribution methods have included email spam, other malware, and misuse of Google Ads. Danabot employs a proprietary encrypted communication protocol and offers multiple build options for affiliates.

Danabot is a sophisticated infostealer malware family that has been active since at least 2018 and operates under a malware-as-a-service (MaaS) model. It primarily functions as a banking trojan with capabilities including credential theft, keylogging, and remote control of infected systems. Danabot's modular architecture allows affiliates to customize malware builds, enabling tailored attacks to specific targets or environments. Distribution methods have included email spam campaigns, secondary infections via other malware, and notably, misuse of legitimate platforms such as Google Ads to increase reach and evade detection. The malware communicates with its command-and-control (C&C) infrastructure using a proprietary encrypted protocol, complicating network traffic analysis and interception efforts. Affiliates are provided with an administration panel, backconnect tools, and proxy server applications, facilitating stealthy botnet management and operations. Beyond stealing sensitive data, Danabot has been used to deliver additional malware payloads, including ransomware, amplifying its threat potential. Recently, a multinational law enforcement operation disrupted Danabot's infrastructure, with contributions from cybersecurity firms like ESET. Despite this disruption, the malware's underground promotion and flexible design suggest potential for resurgence or adaptation by threat actors. Indicators of compromise include domains linked to its C&C infrastructure such as advanced-ip-scanned.com, gfind.org, mic-tests.com, and spy.danabot.ac. The medium severity rating reflects its capability to cause financial and operational damage, especially in sectors reliant on secure banking transactions and sensitive data protection.

Detailed information about Danabot: Analyzing a fallen empire. Get real-time updates, technical details, and mitigation strategies.

Danabot: Analyzing a fallen empire - Live Threat Intelligence - Threat Radar | OffSeq.com

Danabot: Analyzing a fallen empire

DanaBot, a versatile and persistent threat since 2018, has evolved from a banking trojan to a multi-purpose malware platform. It maintained an average of 150 active C2 servers daily, with 1,000 daily victims across 40+ countries. The malware's stealth and multi-tiered architecture contributed to its success. Operated likely from Russia, DanaBot's infrastructure includes Tier 1, Tier 2, and Tier 3 C2 servers. The botnet's size peaked during high-profile events, with Mexico and the US among the most impacted countries. Despite its longevity, only 25% of its C2 servers had detectable malicious signatures. Operation Endgame II, a collaborative effort between security firms and law enforcement, dealt a significant blow to DanaBot's operations.

DanaBot is a sophisticated and persistent malware platform that has been active since 2018. Initially emerging as a banking trojan, DanaBot has evolved into a multi-purpose malware-as-a-service platform capable of a wide range of malicious activities, including information theft and command-and-control (C2) operations. The malware operates through a multi-tiered C2 infrastructure, consisting of Tier 1, Tier 2, and Tier 3 servers, which enhances its resilience and stealth capabilities. At its peak, DanaBot maintained approximately 150 active C2 servers daily and infected around 1,000 victims per day across more than 40 countries. Despite its widespread activity, only about 25% of its C2 servers exhibited detectable malicious signatures, indicating advanced evasion techniques.

DanaBot’s infection vectors and tactics align with multiple MITRE ATT&CK techniques, including lateral movement (T1021.005), valid accounts exploitation (T1078, T1078.004), user execution (T1204.001, T1204.002), phishing (T1566.001, T1566.002), command and control over standard protocols (T1071), and exploitation of public-facing applications (T1190). Its modular architecture allows it to adapt to different operational goals, from stealing banking credentials to broader data exfiltration and persistence. The botnet’s size and activity have fluctuated, often increasing during high-profile events, with Mexico and the United States being the most impacted countries historically. The infrastructure is believed to be operated from Russia.

Operation Endgame II, a coordinated effort by security firms and law enforcement, has significantly disrupted DanaBot’s operations, but the malware remains a medium-severity threat due to its stealth, adaptability, and global reach. The lack of known public exploits and the absence of patches suggest that mitigation relies heavily on detection and response rather than vulnerability remediation.

Detailed information about Inside DanaBot's Infrastructure: In Support of Operation Endgame II. Get real-time updates, technical details, and mitigation strateg

Title	Severity	Type	Source	Date

Threats Tagged 'banking trojan'

Filter Threats

Threats Tagged 'banking trojan'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility