What do you do when you need a program but can’t buy an official license yet? Correct answer: “Use the trial version” or “Find a free alternative.” Wrong answer: “Search online for a cracked version.”
Sketchy alternative sources are known to offer cracked versions of software, along with other goodies. After wading through sites stuffed with ads, you may get the program you want (usually minus the future updates and network functionality), but with a miner, stealer, or whatever else thrown in for good measure.
Based on real-world examples, we explain why you should avoid sites that offer instant downloads of in-demand programs.
Miner and stealer on SourceForge
SourceForge was once the largest site for all things open source, the forerunner of GitHub. But don’t think that SourceForge is dead – today it provides software hosting and distribution services. Its software portal hosts multiple projects, uploaded by anyone who wants to.
And, as with GitHub, it’s this cosmopolitanism that is a barrier to high-level security. Let’s take just one example: our experts found a project called officepackage on SourceForge. At first glance, it looks harmless: a clear description, no-nonsense name, even a positive review.
“Officepackage” page on SourceForge
But what if we told you that the description and files were copied outright from an unrelated project on GitHub? Alarm bells are already ringing. That said, no malware lands on your computer when you click the Download button – the project is apparently clean. Apparently, because the malicious payload was not distributed directly through the officepackage project, but through the web page associated with it. How is this possible?
The fact is that every project created on SourceForge gets its own domain name and hosting on sourceforge.io. So a project named officepackage is given a web page at officepackage.sourceforge[.]io. Such pages are easily indexed by search engines and rank high in search results. This is how attackers attract victims.
When visiting officepackage.sourceforge[.]io from a search engine brought users to a page offering downloads of almost any version of the Microsoft Office suite. But, as ever, the devil was in the detail: when you hovered over the Download button, the browser’s status bar showed a link to https[:]//loading.sourceforge[.]io/download. Spotted the trap? The new link has nothing to do with officepackage; loading is an entirely different project.
The “Download” button on the “officepackage” page of the SourceForge software portal leads to a completely different project
And after clicking, users were redirected not to the page of the loading project, but to another intermediary site with another Download button. And only after clicking this did the user, weary of surfing, finally receive a file – an archive named vinstaller.zip. Inside was another archive, and inside this second archive was a malicious Windows Installer.
At the heart of this evil nesting doll were two nasties: instead of Microsoft products, a miner and ClipBanker – malware for substituting crypto wallet addresses in the clipboard – were let loose on the victim’s device after running the installer. Details of the infection scheme can be found in the full version of the study on our Securelist blog.
Malicious TookPS installer disguised as legitimate software
Cybercriminals do not limit themselves to SourceForge and GitHub. In another recent case unearthed by our experts, attackers were found distributing the malicious TookPS downloader, already familiar to us from the fake DeepSeek and Grok clients, through fake websites offering free downloads of specialized software. We discovered a whole series of such sites offering users cracked versions of UltraViewer, AutoCAD, SketchUp and other popular professional software, meaning that the attack was not only aimed at home users, but also at professional freelancers and organizations. Other malicious files detected included the names Ableton.exe and QuickenApp.exe, purported versions of the popular music creation and money management applications.
Fake pages distributing TookPS
By circuitous means, the installer downloaded two backdoors to the victim’s device: Backdoor.Win32.TeviRat and Backdoor.Win32.Lapmon. See another Securelist post to find out exactly how the malware was delivered to the victim’s device. The malware gave the attackers full access to the victim’s computer.
How to protect yourself
First, do not download pirated software. Under any circumstances. Ever. A cracked program may be temptingly free and instantly available, but the price you pay will be measured not in money, but in data – your data. And no, that doesn’t mean family photos and chats with friends. Cybercriminals are after your crypto wallets, payment card details, account passwords – and even your computer’s resources for cryptocurrency mining.
Here’s a list of rules we recommend for anyone who uses SourceForge, GitHub and other software portals.
If you can’t buy the full version of an application, use alternatives or trial versions, not cracked software. You might not get the full functionality, but at least your device is guaranteed to be safe.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-08 10:06:482025-04-08 10:06:48What happens to your computer when you download pirated software | Kaspersky official blog
🎥 Talos Year in Review 2024: Part 1 & 2 – Watch Now!
Another year, another mountain of malicious telemetry to sift through. I spoke with a few of Talos’ Year in Review authors, freshly out of the sandbox, to discuss the how’s and why’s of our biggest findings.
Whether you’re here for the hard data or the dry humor, we’ve got you covered. We break down what mattered most in 2024 — and what’s on the radar for 2025.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-07 14:06:452025-04-07 14:06:45Year in Review: In conversation with the report’s authors
Payment card security is constantly improving, but attackers keep finding new ways to steal money. In days gone by, having tricked the victim into handing over card credentials on a fake online store or through another scam, cybercriminals would make a physical duplicate card by writing the stolen data onto a magnetic stripe. Such cards could then be used in stores and even at ATMs without a hitch. The advent of chip cards and one-time passwords (OTPs) made life much harder for scammers, but they adapted. The shift to mobile payments using smartphones increased resilience against some types of scams — but also opened up new avenues for it. Now, having phished a card number, they try to link it to their own Apple Pay or Google Wallet account. That done, they use this account from a smartphone to pay for goods using the victim’s card — either in a regular store or at a fake outlet with an NFC-enabled payment terminal.
How card credentials are phished
Such cyberattacks entail preparation on an industrial scale. Attackers create networks of fake websites designed to phish for payment data. These might imitate delivery services, large online stores, and even portals for paying utility bills or traffic fines. The cybercriminals also buy up dozens of smartphones, create Apple or Google accounts on them, and install contactless payment apps.
Next comes the juicy bit. When a victim lands on a bait site, they’re asked to link their card or make a mandatory small payment. This requires entering their card details and confirming ownership of the card by entering an OTP. In fact, the card is not charged at this point.
What actually happens? The victim’s data is almost instantly transferred to the cybercriminals, who attempt to link the card to a mobile wallet on their smartphone. The OTP code is needed to authorize this operation. To speed up and simplify the process, the attackers use special software that takes the data supplied by the victim and generates an image of the card that replicates it perfectly. After that, it’s enough just to take a photo of this image from Apple Pay or Google Wallet. The exact process of linking a card to a mobile wallet depends on the specific country and bank, but usually, no data is required other than the number, expiration date, cardholder name, CVV/CVC, and OTP. All this can be phished in a single session and put to use immediately.
To make attacks even more effective, cybercriminals employ additional tricks. First, if the victim comes to their senses before tapping the Submit button, any data already entered into the forms is still passed to the criminals — even if it’s just a few characters or an incomplete entry. Second, the fake site may report that the payment failed and prompt the victim to try a different card. This way, the criminals might phish details for two or three cards in one go.
The cards aren’t charged right away, and many people, seeing nothing suspicious on their bank statement, forget all about the incident.
How money is stolen from cards
Cybercriminals might link dozens of cards to one smartphone without immediately trying to spend money from them. This smartphone, stuffed with card numbers, is then resold on the dark web. Often, weeks or even months go by between the phishing and the spending. But when that unpleasant day eventually comes, the criminals might decide to splash out on luxury items in a physical store simply by making a contactless payment from a phone full of phished card numbers. Alternatively, they might set up their own fake store on a legitimate e-commerce platform and charge money for non-existent goods. Some countries even allow ATM withdrawals using an NFC-enabled smartphone. In all of the above cases, no confirmation of the transaction via PIN or OTP is required, so money can be siphoned off until the victim blocks the card.
To speed up transferring mobile wallets to clandestine buyers, as well as to reduce the risk for those making payments in stores, attackers have begun to use an NFC relay technique dubbed Ghost Tap. They start by installing a legitimate app such as NFCGate on two smartphones — one with the mobile wallet and stolen cards, the other used directly for payments. This app transmits, in real time over the internet, the NFC data of the wallet from the first phone to the NFC antenna of the second, which the cybercriminals’ accomplice (known as a “mule”) taps on the payment terminal.
Most terminals in offline stores and many ATMs are unable to tell the relayed signal from an original one, allowing the mule to easily pay for goods (or gift cards, which make it easier to launder the stolen funds). And if the mule is detained in the store, there is nothing incriminating on the smartphone, only the legitimate NFCGate app. No stolen card numbers are there, for these are tucked away on the smartphone of the mastermind behind the operation, who can be anywhere, even in another country. This method allows scammers to quickly and safely cash out large sums because there can be multiple mules paying almost simultaneously with the same stolen card.
How to lose money by tapping your card on your phone
In late 2024, fraudsters came up with another NFC relay scheme and successfully tested it on users from Russia, and there’s nothing to stop the operation from being scaled up worldwide. In this scheme, victims aren’t even asked for their card credentials. Instead, the attackers socially engineer them into installing a supposedly handy app on their smartphone under the guise of a government, banking, or other service. Since many such banking and government apps in Russia were removed from official stores due to sanctions, unsuspecting users readily agree to install them. The victim is then prompted to hold their card to their smartphone and enter their PIN for “authorization” or “verification” purposes.
As you might have guessed, the installed app has nothing in common with its description. In the first wave of such attacks, what victims received was the same NFC relay, repackaged as a “handy app”. It read the card when held to the smartphone, and transmitted its data along with the PIN to the attackers, who used it to make purchases or withdraw cash from NFC-enabled ATMs. Anti-fraud systems of major Russian banks quickly learned to identify such payments due to mismatches in the victim’s and the payer’s geolocation, so in 2025 the scheme — but not the essence — changed.
Now, the victim receives an app for creating a duplicate card, and the relay is installed on the attackers’ side. Next, under the bogus pretext of the risk of theft, the victim is persuaded to deposit money into a “safe account” through an ATM, using their smartphone to authorize the payment. When the victim holds their phone to the ATM, the scammer relays their own card details to it, and the money ends up in their account. Such operations are hard to track for automatic anti-fraud systems since the transaction looks perfectly legitimate — someone walked up to an ATM and deposited cash onto a card. The anti-fraud system doesn’t know that the card belonged to someone else.
How to protect your cards from scammers
First of all, Google and Apple themselves, together with payment systems, should implement additional protective measures in the payment infrastructure. However, users can also take steps to protect themselves:
Use virtual cards for online payments. Don’t keep large amounts of money on them, and only top up just before making an online purchase. If your card issuer allows it, disable offline payments and cash withdrawals from such cards.
Get a new virtual card and block your old one at least once a year.
For offline payments, link a different card to Apple Pay, Google Wallet, or a similar service. Never use this card online, and if possible, use a mobile wallet on your smartphone when paying in stores.
Be very wary of apps asking you to hold your payment card to your smartphone, never mind enter your PIN. If it’s a long-trusted banking app, then okay; but if it’s something dodgy you only just installed from an obscure link outside an official app store, then stay clear.
Use plastic cards at ATMs, not an NFC-enabled smartphone.
Install a comprehensive security solution on all computers and smartphones to minimize the risk of landing on phishing sites and installing malicious apps.
Enable the Safe Money component, available in all our security solutions, to protect financial transactions and online purchases.
Activate the fastest possible transaction notifications (text and push) for all payment cards, and contact your bank or issuer immediately if you notice anything suspicious.
Want to learn more about how scammers can steal money from your cards? Read our posts:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-04 10:06:472025-04-04 10:06:47How to guard against NFC carding theft | Kaspersky official blog
Welcome to this week’s edition of the Threat Source newsletter.
They say art is subjective, but have you ever seen a well-formatted bar chart? Van Gogh had Starry Night, but Talos’ 2024 Year in Review (available now!) has color-coded data with perfect labels. True beauty.
If you haven’t yet had a chance to fully digest this gorgeous report (massive shout-out to our creative team), here are some links. Clicking on them may not change your life, but what if it does? Only one way to find out:
Our Year in Review landing page houses all our Year in Review content, from videos to podcasts and topic summaries. There’s more content coming out every week this month. Oh, you can also download the report itself here, which is useful.
The TTP: Year in Review Special (Part 1) is inspired by The Last of Us in more ways than you might think. We have a two-part video interview with the report’s authors, featuring me calling cybercriminals “cheeky f*****s.” Part 2 is coming out tomorrow, April 4th.
This Beers with Talos B team episode genuinely caused someone to direct message me, citing their spouse’s concerns about their laughter levels when listening (“Are you okay?”).
A couple of the report’s top findings:
Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70 percent of Cisco Talos Incident Response cases.
Operators endeavored to disable targets’ security solutions in most of the Talos IR cases we observed, almost always succeeding.
Some of the top-targeted network vulnerabilities affect end-of-life (EOL) devices and therefore have no available patches, despite still being actively targeted by threat actors.
The one big thing
Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader. The file names use Russian words related to the movement of troops in Ukraine as a lure. Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group.
Why do I care?
The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion.
Gootloader Malware Resurfaces in Google Ads for Legal Docs: Attackers target law professionals by hiding the infostealer in ads delivered via Google-based malvertising. (Dark Reading)
UK threatens £100K-a-day fines under new cyber bill: The tech secretary revealed the landmark legislation’s full details for first time. (The Register)
Hacker linked to Oracle Cloud intrusion threatens to sell stolen data: The alleged breach was linked to a critical vulnerability (Cybersecurity Dive)
WordPress attackers hide malware in overlooked plugins directory: The Must-Use plugins (mu-plugins) directory is used to store essential plugins that are necessary for a site to run properly. (SC Magazine)
Can’t get enough Talos?
I mean, bless you if that’s the case, because the Year in Review links in the opening section are probably enough to keep you going. But if you’re still thirsty for more, here’s what the press have been making of the Year in Review findings:
March was a productive and exciting month for the ANY.RUN team. We’ve been working hard to improve both our sandbox platform and Threat Intelligence services — all to help you detect threats faster and stay ahead of cybercriminals.
This month, we focused on expanding the environments available for malware analysis and making our threat detection even sharper. We also published fresh TI reports and introduced new signatures and rules to improve detection accuracy.
You can now investigate Android malware in a real ARM-based sandbox and see exactly how a suspicious APK file behaves in a mobile environment. This means no more guessing, no more blind spots, and no need for separate mobile analysis tools.
With this release, SOC teams, incident responders, and threat hunters can analyze Android threats faster and with greater accuracy, all within the familiar ANY.RUN interface.
And here’s the best part: Android OS support is available to all users, including Free Plan users.
Why it matters:
It’s fast: No waiting for static scans or time-consuming reverse engineering.
It’s interactive: Click, explore, and engage with the malware just like on a real Android device. Grant or deny permissions, trigger actions, and watch how the sample reacts.
It’s detailed: Track every move the malware makes with process trees, MITRE ATT&CK mapping, and real-time network insights.
It’s fully cloud-based: No extra setup required. Run Android malware investigations anytime, anywhere, directly in your browser.
It’s built for teams: Generate structured reports, share findings, and collaborate efficiently across your security team.
This update makes Android malware analysis easier, faster, and more accessible to everyone.
Learn to analyze cyber threats
See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Read full guide
New Pre-Installed Development Tools for Deep Malware Analysis
We’ve introduced a new pre-installed software set in the Windows 10 VMs: the Development Toolkit, designed specifically for advanced malware analysis.
With this update, users can now select the “Development” option when configuring their sandbox environment. This toolkit includes essential software like Python, Node.js, debuggers, decompilers, and reverse engineering tools, pre-installed and ready to use.
It’s ideal for analyzing complex threats like Python-based malware, Node.js-based samples, or malware that requires deeper debugging and inspection.
Pre-installed software set for deeper malware analysis
What’s inside the Development Toolkit?
Python (latest version)
Node.js (latest version)
DebugView
Detect It Easy (DiE)
dnSpy
HxD Hex Editor
Process Hacker
x64dbg Debugger
Wireshark PE
This set removes the need to manually install research tools, making your analysis sessions faster, smoother, and more efficient.
Threat Coverage Updates
We’ve also boosted our threat detection and intelligence capabilities for more precise analysis.
Suricata Rules
In March, we expanded our network-based threat detection by adding 1,654 new Suricata rules. These rules enhance visibility over malicious domains, C2 infrastructure, and phishing campaigns.
Key updates include:
Detection of 25 domains linked to Lumma Stealer activity.
Identification of 2 domains associated with Pentagon-related infrastructure.
New Behavior Signatures
In March, we added a total of 64 new behavior-based detection signatures to improve malware visibility and detection accuracy. These signatures cover mutex findings, suspicious activity patterns, C2 communications, and detections for popular malware families.
Highlights from this update include:
VANHELSING malware
Wormlocker
ScreenConnect abuse
Advanced Installer misuse
HatVibe malware
VANHELSING detection (additional session)
GRANDOREIRO banking trojan
SVCSTEALER mutex detection
DINODASRAT detection
MINSTLOADER detection (script-based)
Additionally, behavior signatures were introduced to detect:
C2 communications related to Pentagon infrastructure (requires MITM analysis)
HTTP requests linked to Sneaky2FA phishing activity
domains spoofing e-zpass
suspicious activity and evasion techniques
New YARA Rule Updates
To further strengthen static detection and classification, we added 5 new YARA rules in March. These rules improve the identification of emerging malware families and suspicious behavior patterns.
New TI Reports Published
TI Reports get you up to speed on the latest cyber threats targeting businesses
In March, we expanded our Threat Intelligence library with three new reports covering the latest activity of active APT groups. These reports provide valuable insights into real-world attacks, tools, and indicators to help security teams detect and respond to emerging threats.
Here’s what’s new:
Salt Typhoon Attacks: An in-depth report on a Chinese state-sponsored cyber espionage group active since 2019. The report highlights the group’s long-term, covert operations targeting government entities, critical infrastructure, and telecommunications providers across Southeast Asia, North America, and Africa.
Dark Caracal Attacks: A collection of IOCs and malware samples linked to Dark Caracal, a threat actor known for global cyber-espionage campaigns. The report focuses on recent activities, targeted sectors, and indicators to help identify similar threats.
UAC-0063 Attacks: A detailed analysis of UAC-0063, an APT group known for persistent and targeted attacks. The report includes IOCs, malware samples, YARA, and SIGMA rules to help defenders spot related malicious activity.
Learn to Track Emerging Cyber Threats
Check out expert guide to collecting intelligence on emerging threats with TI Lookup
Read full guide
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Not long ago, our Securelist blog published a post (Russian language only) about an attack on industrial enterprises using the PhantomPyramid backdoor, which our experts with a high degree of confidence attribute to the Head Mare group. The attack was fairly standard — an email claiming to contain confidential information, with an attached password-protected archive containing malware, and a password for unpacking located right in the email’s body. But the method by which the attackers hid their malicious code — in a seemingly harmless file — is quite interesting: to do it they used the polyglot technique.
What is the polyglot technique?
In the Mitre ATT&CK matrix, polyglot files are described as files that correspond to several file types of at once, and that operate differently depending on the application in which they’re launched. They’re used to disguise malware: for the user, as well as for some basic protection mechanisms, they look like something completely harmless, for example a picture or a document, but in fact there’s malicious code inside. Moreover, the code can be written in several programming languages at once.
Attackers use a variety of format combinations. Unit42 once investigated an attack using a help file in the Microsoft Compiled HTML Help format (.chm extension), which also was an HTML application (.hta file). Researchers also describe the use of a .jpeg image inside which, in fact, was a .phar PHP archive. In the case of the attack investigated by our experts, executable code was hidden inside a .zip archive file.
Polyglot file in the PhantomPyramid case
The file sent by attackers (presumably the Head Mare group) had a .zip extension and could be opened with a standard archiver application. But in fact it was a binary executable file, to the end of which a small ZIP archive was added. Inside the archive was a shortcut file with a double extension .pdf.lnk. If the victim, confident that they were dealing with a regular PDF file, clicked on it, the shortcut executed a powershell script, which allowed the malicious .zip file to be launched as an executable file, and also created a decoy PDF file in the temporary directory to show it to the user.
How to stay safe
To prevent the launch of malicious code, we recommend equipping all computers having internet access with reliable security solutions. In addition, since most cyberattacks are started with malicious or social engineering emails, it’s not a bad idea to install a security solution at the corporate mail gateway level.
And in order to have the most up-to-date data on the techniques, tactics, and procedures of attackers, we suggest using the threat data provided by our Threat Intelligence services.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-02 18:06:492025-04-02 18:06:49Polyglot technique for disguising malware | Kaspersky official blog
Linux cyber threats may be less common than Windows ones, but they can be equally if not more damaging. Defending against these requires proactive efforts.
Eric Parker, a popular YouTube blogger and malware analyst, recently showed his approach to investigating and collecting intelligence on Linux malware.
Here is a recap of his video.
How to find Linux malware in Threat Intelligence Lookup
TI Lookup offers a centralized database of fresh IOCs, IOAs, and IOBs. It lets you search across threat data extracted from the latest malware and phishing samples analyzed by over 500,000 professionals and 15,000 companies around the globe in ANY.RUN’s Interactive Sandbox.
To start searching for Linux threats in TI Lookup, we can begin with the search query specifying the Ubuntu OS version used in the Interactive Sandbox.
The big thing you are probably starting to notice is that Linux malware is very different from Windows malware. It is not usually targeting a desktop user.
It’s not likely to have a campaign like email attachments or fake Fortnite swappers.
Those do very rarely exist, but because very few people use Linux as their primary desktop operating system, it’s much easier to target servers.
This puts at risk corporate infrastructure and makes it particularly important for companies to use proper tools for proactive security like ANY.RUN’s Threat Intelligence Lookup and Interactive Sandbox.
Sandbox reports featuring analyses of Linux botnets displayed by TI Lookup
Let’s pick this sandbox session, which includes analysis of the Moobot version of Mirai.
The Interactive Sandbox instantly detects Mirai’s activity with Suricata IDS
The infection starts with the download of x86.elf file, which is the process that seems to start, then it goes through and then it ultimately gets deleted, which is another stealthing technique.
If we watch a sandbox session replay – nothing visibly happens which is very common with this kind of malware: on the system that it is targeting, there wouldn’t even be a graphical user interface.
Process analysis inside ANY.RUN’s Interactive Sandbox
The only way you might be able to detect it is if you went through the processes, which can be done thanks to ANY.RUN’s real-time logging of all processes and system activities.
Enrich your threat knowledge with TI Lookup
Learn about TI Lookup and its capabilities to see how it can contribute to your company’s security
Explore more
Secure Your Company Against Linux Threats
So how do you prevent Linux malware? The main thing is – watch out and make sure you don’t have a weak root password on your system.
To investigate and collect proactive intelligence on Linux threats that may target your infrastructure, use Threat Intelligence Lookup.
With TI Lookup, your company can streamline:
Proactive Threat Identification: Search the database to proactively identify and update your defense based on the discovered intelligence.
Faster Research: Accelerate threat research by quickly connecting isolated IOCs to specific threats or known malware campaigns.
Real-Time Monitoring: Monitor evolving threats by receiving updates on new results related to your indicators of interest.
Incident Forensics: Enhance forensic analysis of security incidents by searching for contextual information on existing artifacts.
IOC, IOB, and IOA Collection: Discover additional indicators by searching the database for relevant threat information.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals and 15,000 organizations worldwide. The Interactive Sandbox simplifies malware analysis of threats that target both Windows and Linux systems. The threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-02 14:06:462025-04-02 14:06:46How to Hunt and Investigate Linux Malware
In this report, we examine an Android malware sample recently collected and analyzed by our team. This malware masquerades as a banking application and is built to steal sensitive user information. During the analysis, we came across internal references to “Salvador,” so we decided to name it Salvador Stealer.
Real-time visibility into mobile malware behavior is crucial for security teams, SOC analysts, and mobile app providers. This analysis demonstrates how advanced threats can bypass user trust and steal sensitive data, highlighting the need for dynamic malware analysis solutions.
Salvador Stealer Overview
The collected malware sample is a dropper that delivers a banking stealer masquerading as a legitimate banking app. Its primary goal is to collect sensitive user information, including:
Registered mobile number
Aadhaar number
PAN card details
Date of birth
Net banking user ID and password
It embeds a phishing website inside the Android application to trick users into entering their credentials. Once submitted, the stolen data is immediately sent to both the phishing site and a C2 server controlled via Telegram.
In this technical breakdown, we’ll walk you through how this malware operates, how it maintains persistence, and how it exfiltrates sensitive data in real time.
Key Takeaways
Multi-Stage Attack Chain: Salvador Stealer uses a two-stage infection process — a dropper APK that installs and launches the actual banking stealer payload.
Phishing-Based Credential Theft: The malware embeds a phishing website within the Android app to collect sensitive personal and banking information, including Aadhaar number, PAN card, and net banking credentials.
Real-Time Data Exfiltration: Stolen credentials are immediately sent to both a phishing server and a Command and Control (C2) server via Telegram Bot API.
SMS Interception & OTP Theft: Salvador Stealer abuses SMS permissions to capture incoming OTPs and banking verification codes, helping attackers bypass two-factor authentication.
Multiple Exfiltration Channels: The malware forwards stolen SMS data via dynamic SMS forwarding and HTTP POST requests, ensuring data reaches the attacker even if one channel fails.
Persistence Mechanisms: Salvador Stealer automatically restarts itself if stopped and survives device reboots by registering system-level broadcast receivers.
Exposed Infrastructure: During analysis, we found the phishing infrastructure and admin panel publicly accessible, exposing an attacker’s WhatsApp contact, suggesting a possible link to India.
Malware Behavior Analysis
To uncover the full behavior of Salvador Stealer and observe its actions in real time, we executed the sample inside ANY.RUN’s new Android sandbox.
Analysis of the Salvador malware inside ANY.RUN Sandbox’s interactive Android VM
This interactive environment allowed us to quickly analyze the malware’s behavior, visualize its activity, and identify key indicators, all while saving significant analysis time.
Submit suspicious files and URLs to ANY.RUN Sandbox to identify threats targeting your company
Dropper APK – Installs and triggers the second-stage payload.
Base.apk (Payload) – The actual banking credential stealer responsible for data theft.
Dropper APK Behavior
The dropper APK is designed to silently install and execute the malicious payload. To enable this, it declares specific permissions and intent filters in its AndroidManifest.xml, including:
This behavior was clearly observed in our sandbox environment, where the malware launched a new activity immediately after execution.
The dropper APK designed to install and launch a secondary payload (base.apk) as a new activity
If we open the initial dropper APK using WinRAR, we can see base.apk, which serves as the actual malicious payload. The dropper APK is responsible for dropping and launching this payload without the victim’s knowledge.
Base.apk displayed inside the initial dropper APK using WinRAR
Once executed, base.apk exhibits several key behaviors:
It establishes a connection to Telegram, which the attackers use as a Command and Control (C2) server to receive stolen data and manage the infection.
It triggers the signature “Starts itself from another location,” confirming that it was dropped and launched by the initial dropper APK rather than being installed directly.
Process communicating with Telegram revealed inside ANY.RUN Android sandbox
Phishing Interface & Data Theft
The Salvador Stealer tricks users into entering their banking credentials through a fake banking interface phishing page embedded in the app.
Once the user submits their credentials, the data is immediately sent to both the C2 server and a Telegram bot.
Step 1: Collecting Personal Information
On the first page, the app prompts the user to enter:
Registered mobile number
Aadhaar number
PAN card details
Date of birth
The interface of the fake banking app displayed inside ANY.RUN Android sandbox
Once this information is submitted, it is immediately sent to:
A phishing website controlled by the attacker
Stolen data sent to phishing site
A Telegram bot used as part of the malware’s C2 infrastructure
Stolen data sent to Telegram C2 server
Step 2: Stealing Banking Credentials
On the next stage, the app asks the user to provide:
Net banking user ID
Password
Banking credentials provided to cyber attackers
This data is also exfiltrated to both the phishing server and the Telegram bot. We can see this easily inside ANY.RUN Android sandbox:
Stolen data sent to phishing site
These credential theft attempts were clearly captured in the HTTP request logs during sandbox analysis.
Stolen data sent to Telegram C2 server
By enabling HTTPS MITM Proxy mode in ANY.RUN’s Android sandbox, we were able to intercept and verify the exfiltration of user data in real time.
Credential theft attempts captured in the HTTP request logs
Don’t risk your company’s systems, open suspicious files and URLs inside ANY.RUN Sandbox
The base.apk file embedded in the dropper APK contains the core malicious functionality of Salvador Stealer. Here’s a detailed look at its structure
Base.apk file structure
Encrypted Strings & Obfuscation
We’ll begin by opening one of the Java files to analyze its contents. Let’s start with Earnestine.java.
public class Earnestine extends BroadcastReceiver {
private static final Map<String, StringBuilder> sdghedy = new ConcurrentHashMap();
@Override // android.content.BroadcastReceiver
public void onReceive(Context context, Intent intent) {
Object[] pdus;
if (intent.getAction().equals(NPStringFog.decode("0F1E09130108034B021C1F1B080A04154B260B1C0811060E091C5C3D3D3E3E3C2424203B383529")) && (pdus = (Object[]) intent.getExtras().get(NPStringFog.decode("1E141812"))) != null) {
for (Object pdu : pdus) {
...
We can see that the strings are encrypted using a custom method. The decryption is performed using NPStringFog.decode(…), defined in the NPStringFog.java class.
Let’s examine that next to understand what type of encryption is used.
Opening NPStringFog.java, we can confirm that it implements XOR decryption using a static key: “npmanager”.
package obfuse;
import java.io.ByteArrayOutputStream;
public class NPStringFog {
public static String KEY = "npmanager"; // XOR key
private static final String hexString = "0123456789ABCDEF"; // Hexadecimal string for conversion
public static String decode(String str) {
ByteArrayOutputStream baos = new ByteArrayOutputStream(str.length() / 2);
// Convert hex string to byte array
for (int i = 0; i < str.length(); i += 2) {
baos.write((hexString.indexOf(str.charAt(i)) << 4) | hexString.indexOf(str.charAt(i + 1)));
}
byte[] b = baos.toByteArray();
int len = b.length;
int keyLen = KEY.length();
// XOR decryption
for (int i2 = 0; i2 < len; i2++) {
b[i2] = (byte) (b[i2] ^ KEY.charAt(i2 % keyLen)); // XOR byte with key
}
return new String(b);
}
}
This confirms that the encryption is XOR-based. Using CyberChef, we can manually decode strings like the one found in Earnestine:
To analyze the rest of the APK effectively, we’ll need to decode all encrypted strings automatically. Here’s a Python script that recursively scans all .java files, decrypts any encrypted strings using the same XOR method, and writes the result to a _decoded.java file.
import re
import os
def decode_npstringfog(encoded: str, key: str = "npmanager") -> str:
b = bytearray()
for i in range(0, len(encoded), 2):
b.append(int(encoded[i:i+2], 16))
key_bytes = key.encode()
return bytearray((b[i] ^ key_bytes[i % len(key_bytes)]) for i in range(len(b))).decode(errors="replace")
def decode_and_save(filepath: str):
with open(filepath, "r", encoding="utf-8") as f:
content = f.read()
# Find all NPStringFog.decode("...")
pattern = re.compile(r'NPStringFog.decode("([0-9A-F]+)")')
if not pattern.search(content):
return
decoded_content = pattern.sub(lambda m: f'"{decode_npstringfog(m.group(1))}"', content)
outpath = filepath.replace(".java", "_decoded.java")
with open(outpath, "w", encoding="utf-8") as f:
f.write(decoded_content)
print(f"[+] Decoded file written: {outpath}")
def walk_and_decode(base_dir: str = "."):
for root, _, files in os.walk(base_dir):
for file in files:
if file.endswith(".java"):
full_path = os.path.join(root, file)
decode_and_save(full_path)
walk_and_decode()
WebView-Based Phishing Page
Now that we’ve decoded the files, we can begin our deeper analysis of base.apk.
Let’s start with Helene.java, which acts as the main activity of the application. It loads a webpage and handles runtime permissions.
Upon launch, it checks for the necessary Android permissions and ensures there is an active internet connection.
This method sets up the UI, verifies permissions, and initializes a WebView. The setupWebView() method enables JavaScript and DOM storage, then loads the phishing page:
public void setupWebView(Context context, final WebView webView) {
WebSettings settings = webView.getSettings();
settings.setJavaScriptEnabled(true);
settings.setDomStorageEnabled(true);
...
webView.loadUrl("https://t15.muletipushpa.cloud/page/");
}
Once the page finishes loading, a malicious JavaScript payload is injected:
After decoding, the JavaScript reveals that it hooks into XMLHttpRequest.prototype.send, which is commonly used by web apps to send data (e.g., login credentials or session info).
It intercepts all AJAX/XHR requests made from the loaded phishing page. These intercepted payloads are sent to a hardcoded Telegram chat via the Bot API.
Learn to analyze cyber threats
See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Read full guide
SMS Interception & OTP Theft
After loading the phishing WebView it requests several Android permissions, including:
RECEIVE_SMS
SEND_SMS
READ_SMS
INTERNET
These permissions are essential for the malware’s goals—intercepting one-time passwords (OTPs) and forwarding them.
Once the permissions are granted, the initiateForegroundServiceIfRequired() method is called, launching the Fitzgerald service. This foreground service creates a fake notification (“Customer support”) and more importantly, it immediately registers a broadcast receiver to intercept incoming SMS:
this.smsReceiver = new Earnestine();
registerReceiver(this.smsReceiver, new IntentFilter("android.provider.Telephony.SMS_RECEIVED"));
This is the real starting point of the OTP interception process. Every incoming message is captured and parsed by Earnestine. From the PDU, the malware extracts the message body, sender’s number, and timestamp:
The message is then stored using a map that groups multipart SMS messages together. Once it decides the message is complete and ready for exfiltration, the malware uses two separate mechanisms to forward it to the attacker:
Dynamic SMS forwarding:
Inside a function named Bradford(), the malware contacts a remote server to retrieve a forwarding number.
This number is set by the attacker and can be changed at any time. If the server responds with enabled: true, the message is forwarded to that number using the standard SmsManager.
If the number is not available or the response is malformed, the malware will fall back to a previously saved one stored in SharedPreferences. It uses the key “Salvador” as the name of the preference file, and “forwardingNumber” as the key to retrieve the last known destination.
This use of “Salvador” as a unique identifier for internal storage is what led us to name this malware Salvador Stealer:
This suggests the malware is designed to persist attacker-supplied configuration data between sessions, allowing it to continue exfiltrating OTPs even when the server is unreachable or temporarily offline.
HTTP-Based Fallback
Through another method called Randall(), the malware constructs a JSON payload containing the sender ID, message content, and timestamp:
By using both SMS and HTTP as parallel delivery channels, the malware increases its chances of reliably delivering OTPs or any sensitive codes it intercepts, ensuring the attacker receives them regardless of connectivity issues or SMS blocking.
Persistence Mechanism
Even if the user or system tries to terminate the app’s background service, the malware is programmed to automatically restart it. When the Fitzgerald service is killed or swiped away, it immediately schedules a recovery task using Android’s WorkManager:
WorkRequest serviceRestartWork = new OneTimeWorkRequest.Builder(Mauricio.class)
.setInitialDelay(1L, TimeUnit.SECONDS)
.build();
WorkManager.getInstance(getApplicationContext()).enqueue(serviceRestartWork);
The scheduled worker points to the Mauricio class. Inside, it simply relaunches Fitzgerald:
Intent Pasquale = new Intent(getApplicationContext(), Fitzgerald.class);
getApplicationContext().startForegroundService(Pasquale);
This way, even if the user tries to shut the app down from the task manager or system settings, the malware silently revives itself within seconds.
If the device itself is rebooted, the malware still survives. A separate class named Ellsworth is responsible for this behavior. It listens for the system-wide BOOT_COMPLETED broadcast and triggers the Fitzgerald service again:
public class Ellsworth extends BroadcastReceiver {
@Override
public void onReceive(Context context, Intent intent) {
if (intent.getAction().equals("android.intent.action.BOOT_COMPLETED")) {
Intent serviceIntent = new Intent(context, (Class<?>) Fitzgerald.class);
context.startService(serviceIntent);
}
}
}
This guarantees that the malware regains control after reboot and resumes intercepting SMS messages immediately.
Interesting Findings
During our analysis, we identified that the fake banking interface used by Salvador Stealer is actually a phishing websiteembedded inside the Android application.
The phishing page can be accessed directly at: hxxxs://t15[.]muletipushpa[.]cloud/page/start[.]php
Phishing page that encourages victims to share their personal data
We also detected another phishing page hosted on a different subdomain, following a pattern with incremental digits—from t01.* up to t15.*
At the time of writing, the attacker has also left the admin panel accessible to anyone.
The admin login page is publicly available at: hxxxs://t15[.]muletipushpa[.]cloud/admin/login[.]php
Admin login page available to everyone
Brute-forcing the admin login panel reveals a message prompting the user to contact a WhatsApp number, likely belonging to the developer of this phishing malware.
Exposed phone number: +916306285085 This suggests that the attacker is either based in India or using an Indian phone number as a disguise.
Salvador Threat Impact
The Salvador Stealer campaign poses a serious risk to both individuals and organizations:
For end users: Victims risk financial fraud, identity theft, and unauthorized access to their banking accounts.
For financial institutions: This malware undermines customer trust, increases fraud cases, and may lead to reputational damage.
For security teams: Salvador Stealer’s layered infection chain, real-time data exfiltration, and SMS interception tactics make detection difficult without advanced analysis tools.
For mobile ecosystem: The use of legitimate-looking banking apps and embedded phishing pages highlights the growing trend of sophisticated Android-based social engineering attacks.
Conclusion
The analysis of Salvador Stealer reveals how modern Android malware combines phishing, credential theft, and advanced persistence techniques to compromise sensitive financial data. Threats like this highlight the increasing complexity of mobile malware and the growing challenge of detecting and stopping them before damage is done.
By analyzing Salvador Stealer in real time using ANY.RUN’s Android sandbox, we were able to fully map its behavior, uncover its infrastructure, and extract key indicators in just minutes—something that would otherwise require hours of manual static analysis.
Here’s how analysis like this can bring value:
Faster threat detection: Quickly identify malicious behaviors and communication patterns.
Complete visibility: Observe real-time actions of mobile malware, including data exfiltration and persistence tactics.
Reduced investigation time: Automate and accelerate the technical analysis process.
Improved response: Provide clear, actionable Indicators of Compromise (IOCs) for threat hunting and incident response.
Enhanced threat intelligence: Expose attacker infrastructure and techniques that may be used in future campaigns.
Effective defense starts with better visibility. Tools like ANY.RUN’s sandbox make real-time threat analysis actionable and accessible to everyone.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Imagine what the world would be like if tarot cards could accurately predict any and every event. Perhaps we could have nipped Operation Triangulation in the bud, and zero-day vulnerabilities wouldn’t exist at all, as software developers would receive alerts in advance thanks to tarot readings.
Sounds incredible? Well, our experts actually looked into similar methods in their latest discovery! Read on to learn about the new Trojan we found and how we did it.
The tarot trojan
The new Trojan — Trojan.Arcanum — is distributed through websites dedicated to fortune-telling and esoteric practices, disguised as a “magic” app for predicting the future. At first glance, it looks like a harmless program offering users the chance to lay out virtual tarot cards, calculate astrological compatibility, or even “charge an amulet with the energy of the universe” (whatever that means). But in reality, something truly mystical is unfolding behind the scenes — in the worst possible way.
Once installed on the user’s device, Trojan.Arcanum connects to a cloud C2 server and deploys its payload — the Autolycus.Hermes stealer, the Karma.Miner miner, and the Lysander.Scytale crypto-malware. Having collected user data (logins; passwords; time, date and place of birth; banking information; etc.), the stealer sends it to the cloud. Then the real drama begins: the Trojan starts manipulating its victim in real life using social engineering!
Through pop-up notifications, Trojan.Arcanum sends pseudo-esoteric advice to the user, prompting them to take certain actions. For example, if the Trojan gains access to the victim’s banking apps and discovers significant funds in the account, the attackers send a command to give the victim a false prediction about the favorability of large investments. After this, the victim might receive a phishing email offering to participate in a “promising startup”. Or maybe they won’t — depending on how the cards fall.
In the meantime, the embedded Karma.Miner begins mining KARMA tokens, and the Trojan activates a paid subscription to dubious “esoteric practices” with monthly charges. If the user detects and terminates the KARMA mining, the crypto-malware randomly shuffles segments of the user’s files without any chance of recovery.
How we discovered Trojan.Arcanum
Typically, we hunt for cyberthreats using complex algorithms and data analysis. But what if the threat is too enigmatic? In such cases, trusting a tarot reading is the best approach. That’s exactly what our experts did. When performing divination on the signature of an unknown virus detected through KSN (Kaspersky Sacral Network), several Major Arcana cards appeared — some of them reversed:
The Emperor — A symbol of power, control, and strategic foresight. Meaning: the threat is serious.
The Magician — Able to spot vulnerabilities where no one else does. Clever, proactive, and decisive, the Magician skillfully manipulates people. In reverse, it warns of a loss of control. Meaning: the attackers use social engineering.
The Horse — Represents a bold, decisive, adventurous individual; a symbol of activity, change… and Trojan horses. Reversed, the card indicates errors due to impulsive actions. Meaning: the threat might disguise itself as a randomly downloaded harmless app.
The Wheel — Warns that insurmountable circumstances are beyond the user’s control, and that a favorable resolution will be delayed. Usually indicates a miner or financial scam.
The Tower — Foretells a phase of change initiated not by the person but by fate — falling upon the person with relentless force. A strong predictor of a zero-click vulnerability.
Death — represents transformation, a change of cycles, an ending, a transition to a new level. Indicates the presence of crypto-malware.
How the reading looked on the expert’s table
How to protect yourself from Arcanum
Protecting yourself from such a virus is nearly impossible — if only because it doesn’t exist. This whole story is a fabrication from start to finish. But what’s stopping it from becoming a reality at any given moment? Trojans and other types of malware do often disguise themselves as legitimate apps and can steal all sorts of data. Miners have long been distributed through links under popular YouTube videos or video games. Ransomware is capable of paralyzing an entire nation’s healthcare insurance system. Moreover, magic themes are certainly popular enough to become a potential target of cybercriminals. Here are some tips to make your digital life safer:
Check app permissions. If a fortune-telling app requests access to your text messages, geolocation, or the file system, think twice — why does it need that? You’re likely looking at disguised spyware, not some magical technology.
Pay close attention to your subscriptions. Regularly check the subscriptions in your app store settings so you don’t suddenly find out you’ve been forking out some Secret Order of Fortune Tellers every month.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-04-01 09:06:462025-04-01 09:06:46Trojan.Arcanum — a new trojan targeting tarot experts, esotericists, and magicians | Kaspersky official blog
Cybersecurity professionals will likely draw upon the Akira ransomware attack as a key learning example for years to come. The attackers encrypted an organization’s computers by hacking a surveillance camera. While counterintuitive at first glance, the sequence of events follows a logic that can be easily applied to a different organization and different devices within its infrastructure.
Anatomy of the attack
Attackers exploited a vulnerability in a public-facing application to penetrate the network and execute commands on an infected host. Following the initial breach, they launched the popular remote access tool AnyDesk and initiated an RDP session with the organization’s file server. Accessing the server, they attempted to run ransomware, but the company’s EDR system detected and quarantined it. Alas, this didn’t stop the attackers.
Unable to deploy the ransomware on servers or workstations, which were protected by EDR, the attackers ran a LAN scan and found a network video camera. Despite repeated references to a “webcam” in the incident investigation report, we believe it wasn’t the built-in camera of a laptop or smartphone, but a standalone networked device for video surveillance.
There were several reasons why the camera was an ideal target for the attackers:
Due to its severely outdated firmware, the device was vulnerable to remote exploitation, which granted attackers shell access and the ability to execute commands.
The camera ran a lightweight Linux build capable of executing standard binaries for this operating system. Coincidentally, Akira’s arsenal contained a Linux-based encryption tool.
This specialized device lacked — and likely was incapable of supporting — an EDR agent or any other security controls to detect malicious activity.
The attackers were able to install their malware on the camera, and used the device as the foothold for encrypting the organization’s servers.
How to avoid being next victim
The IP camera incident vividly illustrates certain principles of targeted cyberattacks, and provides insight into effective countermeasures. Here’s a ranking of the countermeasures, from the easiest to the most complex:
Limit access to specialized network devices and their permissions. A major factor in this attack was the IP camera’s overly permissive access to the file servers. These devices should reside within an isolated subnet. If that’s not feasible, they should be given the fewest possible permissions to communicate with other computers. For example, write-access should be restricted to a single folder on a single specific server where video recordings are stored. And access to the camera and this folder should be restricted to workstations used only by security and other authorized personnel. While implementing these restrictions may be more challenging for other specialized devices (such as printers), it’s readily achievable with cameras.
Deactivate non-essential services and default accounts on smart devices, and change default passwords.
Use an EDR solution across all servers, workstations, and other compatible devices. The selected solution must be capable of detecting anomalous server activity, such as remote encryption attempts via SMB.
Extend vulnerability and patch management programs to include all smart devices and server software. Start by conducting a detailed inventory of such devices.
Where feasible, implement monitoring, such as telemetry forwarding to a SIEM system, even on specialized devices where EDR deployment isn’t possible: routers, firewalls, printers, video surveillance cameras, and similar devices.
Consider transition to XDR-class solution, which combines network and host monitoring with anomaly-detection technologies, and tools for manual and automatic incident response.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-03-31 18:06:412025-03-31 18:06:41How IP cameras can help attackers | Kaspersky official blog