TrickMo C Variant Adopts TON Blockchain for Decentralized C2 and Expands Network Pivot Capabilities

A new Android malware campaign has been observed leveraging the Hugging Face platform to distribute thousands of APK payload variants designed to steal credentials from financial and payment services. The attack begins with the dropper app TrustBastion, which uses scareware-style ads and fake system update prompts to trick users into installing it. The malware then redirects to a Hugging Face repository to download the final payload, employing server-side polymorphism to evade detection and exploiting Android’s Accessibility Services to monitor activity and capture credentials. Bitdefender discovered over 6,000 commits in the repository, which was taken down but resurfaced under the name 'Premium Club.' Bitdefender published indicators of compromise and notified Hugging Face, which removed the malicious datasets. A separate infostealer campaign was uncovered on Hugging Face, where the repository 'Open-OSS/privacy-filter' typosquatted OpenAI's legitimate Privacy Filter release to distribute a Rust-based infostealer. The malicious repository achieved high visibility with over 244,000 downloads and 667 likes in under 18 hours, likely artificially inflated, and instructed users to clone and execute scripts to initiate the infection. The infostealer used evasion techniques and targeted browser passwords, session cookies, Discord tokens, crypto wallets, Telegram sessions, and other credentials. HiddenLayer urged affected users to treat their systems as fully compromised, rotate all credentials, and follow remediation steps.

Sturnus, a new Android banking trojan, steals messages from encrypted apps like Signal, WhatsApp, and Telegram by capturing screen content post-decryption. It performs full device takeover via VNC and overlays to steal banking credentials. The malware is under development but fully functional, targeting European financial institutions with region-specific overlays. It uses a mix of encryption methods for C2 communication and abuses Accessibility services for extensive control. The malware is disguised as legitimate apps like Google Chrome or Preemix Box, but distribution methods remain unknown. It establishes encrypted channels for commands and data exfiltration, and gains Device Administrator privileges to prevent removal. ThreatFabric reports low-volume attacks in Southern and Central Europe, suggesting testing for larger campaigns. New details reveal Sturnus uses WebSocket and HTTP channels for communication, displays full-screen overlays mimicking OS updates, and collects extensive device data for continuous feedback.

A new Android banking malware, Massiv, is posing as an IPTV app to steal digital identities and access online banking accounts. The malware targets users in Spain, Portugal, France, and Turkey, with a particular focus on a Portuguese government app connected to Chave Móvel Digital. Massiv uses screen overlays, keylogging, SMS interception, and remote control to obtain sensitive data and can open new accounts in the victim's name for money laundering and loans. The malware provides two remote control modes: screen live-streaming and UI-tree mode, which extracts structured data from the Accessibility Service. This trend of using IPTV apps as lures for Android malware infections has increased over the past eight months. Previously, the Klopatra Android Trojan was identified, capable of performing unauthorized bank transfers while the device is inactive. Klopatra targets users in Italy and Spain, with over 3,000 devices infected. It disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. The malware employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. Klopatra operates during nighttime hours, draining victims' bank accounts without alerting them.

Chinese-speaking users are targeted by a malware campaign using SEO poisoning and fake software sites to distribute HiddenGh0st, Winos, and kkRAT. The campaign manipulates search rankings and uses trojanized installers to deliver the malware. The attacks exploit vulnerabilities in popular software and use various techniques to evade detection and maintain persistence. The malware is designed to establish command-and-control communication, monitor user activity, and steal sensitive information. The threat actor Dragon Breath, also known as APT-Q-27 and Golden Eye, uses RONINGLOADER to deliver a modified variant of Gh0st RAT. The campaign employs trojanized NSIS installers masquerading as legitimate software like Google Chrome and Microsoft Teams. The malware targets specific antivirus programs, including Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. The malware uses a Bring Your Own Vulnerable Driver (BYOVD) technique to disarm antivirus software. The final malware deployed is a modified version of Gh0st RAT, designed to communicate with a remote server to fetch additional instructions. The campaign was discovered in August 2025 and involves multiple malware families, including HiddenGh0st and Winos, which are variants of Gh0st RAT. The attacks use fake software sites and GitHub Pages to distribute the malware, exploiting the trust associated with legitimate platforms. The malware employs sophisticated techniques to evade detection and maintain persistence, including anti-analysis checks and TypeLib COM hijacking. Two interconnected malware campaigns, Campaign Trio and Campaign Chorus, have employed large-scale brand impersonation to deliver Gh0st RAT to Chinese-speaking users. Additionally, a new sample of the ToneShell backdoor, typically seen in Chinese cyberespionage campaigns, has been delivered through a kernel-mode loader in attacks against government organizations. The backdoor has been attributed to the Mustang Panda group, also known as HoneyMyte or Bronze President, that usually targets government agencies, NGOs, think tanks, and other high-profile organizations worldwide. The new variant of the ToneShell backdoor features changes and stealth enhancements, including a new host identification scheme and network traffic obfuscation with fake TLS headers. The driver file is signed with an old, stolen, or leaked digital certificate from Guangzhou Kingteller Technology Co., Ltd, valid from August 2012 to 2015. The driver registers as a minifilter driver on infected machines, injecting a backdoor trojan into system processes and providing protection for malicious files, user-mode processes, and registry keys. The driver resolves required kernel APIs dynamically at runtime by using a hashing algorithm to match the required API addresses. The driver monitors file-delete and file-rename operations to prevent itself from being removed or renamed. The driver denies attempts to create or open Registry keys that match against a protected list by setting up a RegistryCallback routine and ensuring that it operates at an altitude of 330024 or higher. The driver interferes with the altitude assigned to WdFilter.sys, a Microsoft Defender driver, changing it to zero, thereby preventing it from being loaded into the I/O stack. The driver intercepts process-related operations and denies access if the action targets any process that's on a list of protected process IDs when they are running. The driver removes rootkit protection for those processes once execution completes. The driver drops two user-mode payloads, one of which spawns an "svchost.exe" process and injects a small delay-inducing shellcode. The second payload is the TONESHELL backdoor that's injected into that same "svchost.exe" process. Once launched, the backdoor establishes contact with a C2 server ("avocadomechanism[.]com" or "potherbreference[.]com") over TCP on port 443, using the communication channel to receive commands. The backdoor commands include creating temporary files for incoming data, downloading files, canceling downloads, establishing a remote shell via pipe, receiving operator commands, terminating the shell, uploading files, canceling uploads, and closing the connection. The use of TONESHELL has been attributed to Mustang Panda since at least late 2022. As recently as September 2025, the threat actor was linked to attacks targeting Thai entities with TONESHELL and a USB worm named TONEDISK (aka WispRider) that uses removable devices as a distribution vector for a backdoor referred to as Yokai. The C2 infrastructure used for TONESHELL was erected in September 2024, although there are indications that the campaign itself did not commence until February 2025. The exact initial access pathway used in the attack is not clear, but it's suspected that the attackers abused previously compromised machines to deploy the malicious driver. Memory forensics is key to analyzing the new TONESHELL infections, as the shellcode executes entirely in memory. HoneyMyte's 2025 operations show a noticeable evolution toward using kernel-mode injectors to deploy ToneShell, improving both stealth and resilience. The Chinese espionage threat group Mustang Panda has updated its CoolClient backdoor to a new variant that can steal login data from browsers and monitor the clipboard. CoolClient has been associated with Mustang Panda since 2022, deployed as a secondary backdoor alongside PlugX and LuminousMoth. The updated malware version has been observed in attacks targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan and were deployed via legitimate software from Sangfor, a Chinese company specialized in cybersecurity, cloud computing, and IT infrastructure products. CoolClient uses encrypted .DAT files in a multi-stage execution and achieves persistence via Registry modifications, the addition of new Windows services, and scheduled tasks. It also supports UAC bypassing and privilege escalation. CoolClient's core features are integrated in a DLL embedded in a file called main.dat. When launched, it first checks whether the keylogger, clipboard stealer, and HTTP proxy credential sniffer are enabled. New CoolClient capabilities include a clipboard monitoring module, the ability to perform active window title tracking, and HTTP proxy credential sniffing that relies on raw packet inspection and headers extraction. The plugin ecosystem has been expanded with a dedicated remote shell plugin, a service management plugin, and a more capable file management plugin. The service management plugin allows the operators to enumerate, create, start, stop, delete, and modify the startup configuration of Windows services. The file management plugin provides extended file operations, including drive enumeration, file search, ZIP compression, network drive mapping, and file execution. Remote shell functionality is implemented via a separate plugin that spawns a hidden cmd.exe process and redirects its standard input and output through pipes, enabling interactive command execution over the command-and-control (C2) channel. A novelty in CoolClient’s operation is the deployment of infostealers to collect login data from browsers. Kaspersky documented three distinct families targeting Chrome (variant A), Edge (variant B), and a more versatile variant C that targets any Chromium-based browser. Another notable operational shift is that browser data theft and document exfiltration now leverage hardcoded API tokens for legitimate public services like Google Drive or Pixeldrain to evade detection.

The Hook Android banking trojan, an offshoot of ERMAC, has evolved to include ransomware-style overlays and supports 107 remote commands. The malware targets financial applications and is distributed via phishing websites and GitHub repositories. The source code leak of ERMAC V3.0 in March 2024 exposed its full infrastructure, revealing critical weaknesses that can be used by defenders to track and disrupt active operations. ERMAC V3.0, an Android banking trojan, was first documented in September 2021 by ThreatFabric as an evolution of the Cerberus banking trojan operated by a threat actor known as 'BlackRock'. ERMAC v2.0 was spotted by ESET in May 2022, targeting 467 apps, up from 378 in the previous version. In January 2023, ThreatFabric observed BlackRock promoting a new Android malware tool named Hook, which appeared to be an evolution of ERMAC.