Researchers have uncovered HyperRat, a new Android malware sold as a service, giving attackers remote control, data theft tools, and mass phishing features.

Cybersecurity researchers at iVerify have identified a new Android remote access trojan (RAT) called HyperRat, being promoted on cybercrime forums under the malware-as-a-service (MaaS) model. The tool allows attackers to remotely control infected devices, collect sensitive data, and send mass phishing messages without writing a single line of code.

HyperRat operates as a paid subscription. Once a buyer joins, they receive a customised malicious APK and access to a web-based control panel managed by the seller. That panel lets operators monitor infected devices, send commands, and view logs, while the developer maintains the backend infrastructure. Researchers say this model shows a change in the underground Android malware market, where automation is now a key selling point.

****Web Control Panel and Device Management****

According to iVerify’s blog post, its researchers analysed screenshots from the control interface that show a dashboard listing infected phones by number, IP address, and recent activity.

From this panel, operators can open a VNC session, send SMS messages from the victim’s SIM, retrieve call logs, modify permissions, and download archived messages. One button labelled for mass messaging indicates the malware can also be used for spam or phishing campaigns, not just surveillance.

Another screenshot shows detailed permission management. HyperRat tells the operator which Android privileges are active, including internet access, call and SMS control, and auto-restart after reboot. It can also request accessibility permissions and bypass battery optimisation, techniques commonly used to maintain persistence on a device even after reboots or user interference.

HyperRat’s dashboard (Screenshot via iVerify)

****Application Scanning and Bulk SMS****

The malware can enumerate installed applications, giving the operator a full list of package names and app titles. This allows them to decide which apps to impersonate using **phishing overlays**. For example, if a banking or payment app is detected, HyperRat can trigger a fake login screen mimicking that service, harvest credentials, and then hand control back to the real app to avoid suspicion.

The control panel also includes a “Send to contacts” form that lets the attacker send phishing messages directly from the victim’s phone. Operators can select SIM slots, set message delays, and choose which contacts to target. Because these messages originate from legitimate devices, they often bypass carrier-level spam filters and reach more potential victims.

**Telegram-Based Control**

HyperRat integrates with Telegram bots for remote control and notifications. The operator can configure chat IDs and API tokens so that alerts and logs are delivered directly through Telegram chats. Using the encrypted messaging platform allows attackers to manage devices discreetly and avoid detection by security monitoring systems that rely on traditional command-and-control traffic patterns.

**Custom APK Builder**

A built-in APK builder lets the attacker generate a fake Android app with a spoofed name and icon. Options in the builder include hiding the app icon, intercepting notifications, enabling a SOCKS5 proxy, disabling battery optimisation, and launching a VNC module for remote screen access. The builder also supports WebView mode, enabling the app to disguise itself as a basic browser while quietly connecting to the attacker’s server.

What HyperRat malware can do (Screenshot via iVerify)

**Advertising and Market Context**

HyperRat is being marketed in Russian-language channels as a “next generation Android app for tracking and controlling your device.” Its feature list includes full access to SMS and MMS messages, automatic SIM number retrieval, one-click message archiving, and a web control panel with analytics.

The appearance of HyperRat follows other MaaS kits such as PhantomOS and Nebula, which provide similar capabilities for a monthly fee. These platforms lower the barrier for entry, allowing even inexperienced actors to run mobile spying or credential theft campaigns using prebuilt infrastructure.

Users should avoid sideloading APKs from untrusted sources, check which app is set as the default for SMS, and regularly review permissions for anything requesting access to accessibility services or system settings.

New HyperRat Android Malware Sold as Ready-Made Spy Tool

Security, trust, and stability — once the pillars of our digital world — are now the tools attackers turn against us. From stolen accounts to fake job offers, cybercriminals keep finding new ways to exploit both system flaws and human behavior.
Each new breach proves a harsh truth: in cybersecurity, feeling safe can be far more dangerous than being alert.
Here’s how that false sense of security

⚡ Weekly Recap: WSUS Exploited, LockBit 5.0 Returns, Telegram Backdoor, F5 Breach Widens

New Android malware Baohuo hijacks Telegram X accounts, stealing data and controlling chats. Over 58,000 devices infected, mainly in India and Brazil.

A new Android threat is spreading fast through fake versions of Telegram X, giving attackers complete control over users’ accounts. Security researchers at Doctor Web have named it Android.Backdoor.Baohuo.1.origin, describing it as one of the most advanced Android backdoors seen this year.

It starts out looking like a normal Telegram X app, a real Android app developed by Telegram, offering a faster and more experimental version of the main Telegram client. The app is available on the Google Play Store.

Original Telegram X App and Fake Version – The fake app is misusing the name Telegram FZ-LLC.

In the Baohuo malware scam, victims usually come across the fake Telegram X app through online ads that claim to offer an improved or dating-focused version of the messenger. After installation, the app appears to work normally, but in the background, it connects to remote servers and takes control of the user’s Telegram account.

Baohuo can hide unauthorised logins and erase traces of any new or deleted chats or channels. This lets attackers join, leave, or change channels without the user noticing. In effect, they gain full access to messages, contacts, and sessions, and can manage chats as if they owned the account.

****How Baohuo Works and Its Global Impact: 58,000 Devices Infected****

Baohuo uses the Xposed framework to alter app behaviour at runtime. That lets it hide chats, devices, and notifications, or display fake update popups that send users to malicious pages. It also creates “mirrors”, copies of legitimate Telegram methods, to mimic normal app actions while carrying out its own malicious tasks.

One of the malicious sites used in the scam to spread Baohuo Android malware (Image via Dr Web)

In their blog post, Doctor Web analysts say the operation began in mid-2024 and has already affected more than 58,000 Android devices, including smartphones, tablets, TV boxes, and even car systems. Most of the infections are found in India, Brazil and Indonesia, where users are targeted with localised ad templates written in Portuguese and Indonesian.

1.  India – 22.8%
2.  Brazil – 20.5%
3.  Indonesia – 9.6%
4.  Egypt – 5.5%
5.  Algeria – 4.0%
6.  Colombia – 3.1%
7.  Bangladesh – 2.2%
8.  Russia – 2.3%
9.  Iraq – 1.7%
10.  Pakistan – 1.7%
11.  Philippines – 1.7%

****A New Way of Command and Control****

The way Baohuo is controlled is another major concern. Earlier Android malware usually communicated through standard command-and-control (C2) servers. Baohuo, on the other hand, takes commands directly from a Redis database, making it the first known Android malware to use Redis for control.

This allows attackers to issue commands easily and continue operating if their main C2 server goes offline. These commands include uploading SMS messages, contacts, fetching encryption keys, pushing ads, downloading updates, or collecting detailed information about the infected device.

Worse, Baohuo can copy clipboard data. Anything copied on the phone, such as passwords or cryptocurrency wallet recovery phrases, can be intercepted and sent straight to the attacker’s server. The malware also checks in every few minutes, sending details about the user’s activity, such as whether the screen is on and what permissions the app has.

****Found in Popular Third-Party App Stores****

According to researchers, the malware has also been found in popular third-party app stores such as APKPure, ApkSum, and AndroidP. In some cases, it was listed as being uploaded by Telegram’s actual developer, even though the digital signatures didn’t match. Doctor Web says it has alerted these platforms to remove the trojanized files.

The company says its mobile antivirus products detect and remove all known versions of Baohuo, but the spread of modified Telegram apps on unofficial platforms remains a major issue. Users are advised to download Telegram only from the official Google Play Store or Telegram’s official website and to avoid installing APKs from links in ads or unverified catalogues.

Baohuo Android Malware Hijacks Telegram Accounts via Fake Telegram X

In this week’s newsletter, Bill explores how open communication about your skills and experience can help your security team uncover hidden gaps, strengthen your defenses, and better prepare for ever-present threats.

Thursday, October 23, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

“The truth about the world, he said, is that anything is possible... For existence has its own order and that no man's mind can compass, that mind itself being but a fact among others.” ― Cormac McCarthy, "Blood Meridian"

Earlier this week, I spent a few days off to take a reading retreat with my wife. Diving into several books from various genres and sitting on several quiet acres in the Texas hill country was a wonderful way to refuel. While reading a completely different book, I was reminded of this quoted section from Cormac and it gave me pause.  

We, as security practitioners, often move forward with the knowledge and expertise we've acquired along the various paths that led us to this point. It's easy to fall into the trap of assuming that, because we've shared similar experiences, we all possess the same skillsets — each of us following our own string in the maze. In the end, the gaps between what we assume about each other and the reality can be tremendous. How do we ensure these aren’t the very gaps adversaries exploit, and that our perceived strengths don’t become our weaknesses? 

It comes down to communication and community. Talking openly about our skillsets can feel unnecessary among seasoned practitioners—we often assume that everyone has followed a similar path through the maze of their careers. But in practice, conversations quickly reveal this isn’t the case. One of the best ways to build the soft skills that help your career grow is by meeting with your team and discussing the technical skills that got you here and how you apply them now, which skills still benefit your daily routine, and which have fallen to the wayside via obsolescence. If you can create a meeting focused on this topic — rotating among your direct team and involving the team or leader above — you’ll start to pinpoint the skillsets that have the greatest impact on your day-to-day work.  

This process will help you identify specific technical skills needed for hiring or training new team members. It also gives junior analysts a clear view of what senior analysts rely on in their expanded roles, helping to guide their own education. Furthermore, when everyone understands the technical and soft skills that leadership uses, it can help remove the distance between technical and people leaders — and can leave a “string” for those early in their careers to follow as they navigate their own path through the maze 

Know your environment. This is always my first answer whenever I’m asked what to do next or how to proceed. Knowing with extreme clarity both the skillsets on your team and the foundation they’re built upon will allow your team to thrive and grow. It also makes it easier to identify opportunities for cross-training and to provide targeted mentorship where it’s needed most. 

“War was always here. Before man was, war waited for him. The ultimate trade awaiting its ultimate practitioner.” ― Cormac McCarthy, "Blood Meridian"

**The one big thing **

According to the Cisco Talos IR Trends Q3 2025 report, over 60% of our incident response cases involved attackers exploiting public-facing applications, mainly through the ToolShell attack chain against unpatched Microsoft SharePoint servers. This is a huge jump from under 10% last quarter. About 20% of cases were ransomware-related (down from 50%), but new ransomware variants and tactics, like using legitimate tools for persistence, were seen. Attackers also increased their use of compromised internal accounts for phishing, and public administration became the top targeted sector for the first time since we began these reports in 2021. 

**Why do I care? **

Attackers are going after anyone with exposed or outdated systems, including local governments and public services. With attackers exploiting new vulnerabilities almost immediately (especially in widely used software like SharePoint), even small delays in patching or weak internal defenses can put your organization and its data at serious risk. 

**So now what? **

Prioritize rapid patching of public-facing applications, especially after new vulnerabilities are disclosed, and implement strong network segmentation to limit attackers' lateral movement. Additionally, enhancing multi-factor authentication, improving centralized logging, and educating your users can help detect and block attacks earlier. 

**Top security headlines of the week **

**Vulnerability in Dolby Decoder can allow zero-click attacks**   
Tracked as CVE-2025-54957 (CVSS score of 7.0), the security defect can be triggered using malicious audio messages, leading to remote code execution. On Android, the vulnerability can be exploited remotely without user interaction. (SecurityWeek) 

**131 Chrome extensions caught hijacking WhatsApp Web for massive spam campaign**   
Researchers have uncovered a coordinated campaign that leveraged 131 rebranded clones of a WhatsApp Web automation extension for Google Chrome to spam Brazilian users at scale. (The Hacker News) 

**Prosper data breach impacts 17.6 million accounts**   
Hackers stole personal and financial details belonging to 17.6 million users of the Prosper lending platform, including Social Security numbers and government IDs. (SecurityWeek) 

**"PassiveNeuron” cyber spies target orgs with custom malware**   
A threat campaign is targeting high-profile organizations in the government, industrial, and financial sectors across Asia, Africa, and Latin America, with two custom malware implants designed for cyber espionage. (Dark Reading) 

**Can’t get enough Talos? **

*   **Reducing abuse of Microsoft 365 Exchange Online Direct Send**   
    Cisco Talos has observed increased activity by malicious actors leveraging Direct Send as part of phishing campaigns. Here's how to strengthen your defenses. 
*   **Beers with Talos: Two Marshalls, one podcast**   
    Talos' Vice President Christopher Marshall (the “real Marshall,” much to Joe’s displeasure) joins Hazel, Bill, and Joe for a very real conversation about leading people when the world won’t stop moving. 

**Upcoming events where you can find Talos **

*   NTNU MALWAREFORUM (Oct. 28 – 29) Oslo, Norway 
*   Bsides Osijek (Nov. 5) Osijek, Croatia 
*   AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**    
MD5: 1f7e01a3355b52cbc92c908a61abf643   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a    
Example Filename: cleanup.bat    
Detection Name: W32.D933EC4AAF-90.SBX.TG 

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**   
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe   
Detection Name: W32.41F14D86BC-100.SBX.TG 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974   
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe    
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: 629ff05b7396cd0278ac345008b1e9246a6511da973e3e7eb630c5890758c15a**   
MD5: 6692f8df8616472715273203b42e754d    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=629ff05b7396cd0278ac345008b1e9246a6511da973e3e7eb630c5890758c15a    
Example Filename: EasyAsVPNgo.exe   
Detection Name: W32.Proxy.27e2.1201

Strings in the maze: Finding hidden strengths and gaps in your team

The UK’s competition watchdog says Apple’s “walled garden” gives it too much control—and may soon force it to allow rival app stores on iPhones.

The UK’s Competition and Markets Authority (CMA) ruled that both Google and Apple have a “strategic market status.” Basically, they have a monopoly over their respective mobile platforms.

As a result, Apple may soon be required to allow rival app stores on iPhones—a major shift for the smartphone industry. Between them, Apple and Google power nearly all UK mobile devices, according to the CMA:

> “Around 90–100% of UK mobile devices run on Apple or Google’s mobile platforms.”

According to analyst data cited by the BBC, around 48.5% of British consumers use iPhones, with most of the rest on Android devices. 

If enforced, this change will reshape the experience of most of the smartphone users in the UK, and we have heard similar noises coming from the EU.

Apple has pushed back, warning that EU-style regulation could limit access to new features. The company points to Apple Intelligence, which has been rolled out in other parts of the world but is not available in the EU—something Apple blames on heavy regulation.

For app developers, the move could have profound effects. Smaller software makers, often frustrated by Apple’s 15–30% commission on in-app purchases, might gain alternative distribution routes. Competing app stores might offer lower fees or more flexible rules, making the app ecosystem more diverse, and potentially more affordable for users.

Apple, however, argues that relaxing control could hurt users by weakening privacy standards and delaying feature updates.

**Security and privacy**

Allowing multiple app stores will undeniably reshape the iPhone’s security model. Apple’s current “closed system” approach minimizes risk by funneling all apps through its vetted App Store, where every submission goes through security reviews and malware screening. This walled approach has kept large-scale malware incidents on iPhones relatively rare compared to Android.

It remains to be seen whether competing app stores will hold the same standards or have the resources to enforce them. Users can expect more variability in safety practices, which could increase exposure to fraudulent or malware-infested software.

On the other hand, we may also see app stores that prioritize safety or cater to a more privacy-focused audience. So, it doesn’t have to be all bad—but Apple has a point when it warns about higher risk.

For most users, the safest approach will be to stick with Apple’s store or other trusted marketplaces, at least in the early days. Android’s history shows that third-party app stores often become hotspots for adware and phishing, so security education is key. Regulators and developers will need to work together to make the review process and data-handling practices transparent.

There is no set timeline for when or how the CMA will enforce these changes, or how far Apple will go to comply. The company could challenge the decision or introduce limited reforms. Either way, it’s a major step toward redefining how trust, privacy, and control are balanced in the mobile age.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 Apple may have to open its walled garden to outside app stores 

SentinelLABS’ research reveals PhantomCaptcha, a highly coordinated, one-day cyber operation on Oct 8, 2025, targeting the International Red Cross, UNICEF, and Ukraine government groups using fake emails and a Remote Access Trojan (RAT) linked to Russian infrastructure.

A recent, highly coordinated cyberattack, codenamed “PhantomCaptcha,” targeted several major humanitarian and government groups supporting war relief efforts in Ukraine, according to new research from SentinelLABS.

The organisations targeted in this cyber attack included the International Red Cross, UNICEF, the Norwegian Refugee Council, and Ukrainian government administrations in regions like Donetsk and Dnipropetrovsk, among others.

The research, conducted in collaboration with the Digital Security Lab of Ukraine, reveals a clever operation launched on October 8th, 2025. The attackers spent six months preparing infrastructure for an attack that was only active for a single day.

Such rapid setup and shutdown suggest very skilled operators trying hard to avoid detection. Researchers noted the attack chain has similarities with the activity of COLDRIVER, a threat group linked to Russia’s FSB intelligence agency.

****Fake Emails and a Tricky Trap****

The attack began with official-looking emails from the Ukrainian President’s Office, which included a malicious PDF. Clicking a link in the PDF directed victims to zoomconference.app, a domain appearing as a legitimate Zoom site. This domain, hosted on a Russian-provider-owned server in Finland, presented a fake Cloudflare captcha page. This was a trap to trick people into downloading a secret spying tool.

PDF Document and Infection Path (Via SentinelLABS)

Further probing revealed that users were instructed in Ukrainian to copy a “token” and paste it into the Windows Run box to execute a hidden command. This technique, sometimes called Paste and Run or ClickFix, is dangerous because it makes the user unknowingly run the malicious code, often bypassing regular security software.

The spying tool is a multi-stage WebSocket-based remote Access Trojan (RAT) hosted on infrastructure linked to Russia, capable of giving attackers remote control over the victim’s computer to steal data.

****Long Planning, Short Operation****

The attackers’ planning was quite meticulous, showing a “high level of operational planning,” as SentinelLABS researchers explained in the blog post shared exclusively with Hackread.com. The main attack lasted only 24 hours, with user-facing websites quickly taken down. However, the command-and-control (C2) servers remained active to maintain control of any compromised systems.

Such “highly targeted, short-lived” campaigns, the researchers note, show that cyber operations against relief groups are persistent and constantly growing, aiming to collect sensitive information. The preparation and swift takedown point to an operator who understands both attack and evasion techniques.

It is worth noting that the researchers also found a potential link to a separate mobile campaign involving fake Android apps. Some were disguised as adult entertainment (like the “Princess Men’s Club” theme) or cloud storage, designed to steal a wide range of personal information, including users’ location, SIM card details, contacts, photos, and a list of installed apps.

zoomconference(.)click HTTPS response data matching princess-mens(.)click (Source: SentinelLABS)

Attacks like this show relief organisations are direct targets. Staff should treat unexpected messages as malicious. Never paste unknown tokens into the Run box. If a machine behaves oddly, take it offline and have it examined.

Report incidents to your national CERT and partners, rotate any exposed credentials, and run full scans and forensic checks. Tighten basic controls such as multi-factor authentication and limited admin rights. These steps stop many attacks before they can spread.

PhantomCaptcha RAT Attack Targets Aid Groups Supporting Ukraine

This is part of its broader push to fight impersonation and fraud, after removing more than 21,000 fake customer-support pages from Facebook.

Vulnerable Facebook Messenger and WhatsApp users are getting more protection thanks to a move from the applications’ owner, Meta. The company has announced more safeguards to protect users (especially the elderly) from scammers.

The social media, publishing, and VR giant has added a new warning on WhatsApp that displays an alert when you share your screen during video calls with unknown contacts.

On Messenger, protection begins with on-device behavioral analysis, complemented by an optional cloud-based AI review that requires user consent. The on-device protection will flag suspicious messages from unknown accounts automatically. You then have the option to forward it to the cloud for further analysis (although note that this will likely break the default end-to-end encryption on that message, as Meta has to read it to understand the content). Meta’s AI service will then explain why the device interpreted the message as risky and what to do about it, offering information about common scams to provide context.

That context will be useful for vulnerable users, and it comes after Meta worked with researchers at social media analysis company Graphika to document online scam trends. Some of the scams it found included fake home remodeling services, and fraudulent government debt relief sites, both targeting seniors. There were also fake money recovery services offering to get scam victims’ funds back (which we’ve covered before).

Here’s a particularly sneaky scam that Meta identified: fake customer support scammers. These jerks monitor comments made under legitimate online accounts for airlines, travel agencies, and banks. They then contact the people who commented, impersonating customer support staff and persuading them to enter into direct message conversations or fill out Google Forms. Meta has removed over 21,000 Facebook pages impersonating customer support, it said.

**A rising tide of scams**

We can never have too many protections for vulnerable internet users, as scams continue to target them through messaging and social media apps. While scams target everyone (costing Americans $16.6 billion in losses, according to the FBI’s cybercrime unit IC3), those over 60 are hit especially hard. They lost $4.8 billion in 2024. Overall, losses from scams were up 33% across the board year-on-year.

Other common scams include “celebrity baiting”, which uses celebrity figures without their knowledge to dupe users into fraudulent schemes including investments and cryptocurrency. With deepfakes making it easier than ever to impersonate famous people, Meta has been testing facial recognition to help spot celebrity-bait ads for a year now, and recently announced plans to expand that initiative.

If you know someone less tech-savvy who uses Meta’s apps, encourage them to try these new protections—like Passkeys and Security Checkup. Passkeys let you log in using a fingerprint, face, or PIN, while Security Checkup guides you through steps to secure your account.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

**About the author**

Danny Bradbury has been a journalist specialising in technology since 1989 and a freelance writer since 1994. He covers a broad variety of technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector. He hails from the UK but now lives in Western Canada.

 Meta boosts scam protection on WhatsApp and Messenger 

The Universe Browser is believed to have been downloaded millions of times. But researchers say it behaves like malware and has links to Asia’s booming cybercrime and illegal gambling networks.

The Universe Browser makes some big promises to its potential users. Its online advertisements claim it’s the “fastest browser,” that people using it will “avoid privacy leaks” and that the software will help “keep you away from danger.” However, everything likely isn’t as it seems.

The browser, which is linked to Chinese online gambling websites and is thought to have been downloaded millions of times, actually routes all internet traffic through servers in China and “covertly installs several programs that run silently in the background,” according to new findings from network security company Infoblox. The researchers say the “hidden” elements include features similar to malware—including “key logging, surreptitious connections,” and changing a device’s network connections.

Perhaps most significantly, the Infoblox researchers who collaborated with the United Nations Office on Drugs and Crime (UNODC) on the work, found links between the browser’s operation and Southeast Asia’s sprawling, multibillion-dollar cybercrime ecosystem, which has connections to money-laundering, illegal online gambling, human trafficking, and scam operations that use forced labor. The browser itself, the researchers says, is directly linked to a network around major online gambling company BBIN, which the researchers have labeled a threat group they call Vault Viper.

The researchers say the discovery of the browser—plus its suspicious and risky behavior—indicates that criminals in the region are becoming increasingly sophisticated. “These criminal groups, particularly Chinese organized crimes syndicates, are increasingly diversifying and evolving into cyber enabled fraud, pig butchering, impersonation, scams, that whole ecosystem,” says John Wojcik, a senior threat researcher at Infoblox, who also worked on the project when he was a staff member at the UNODC.

“They’re going to continue to double down, reinvest profits, develop new capabilities,” Wojcik says. “The threat is ultimately becoming more serious and concerning, and this is one example of where we see that.”

**Under the Hood**

The Universe Browser was first spotted—and mentioned by name—by Infoblox and UNODC at the start of this year when they began unpacking the digital systems around an online casino operation based in Cambodia, which was previously raided by law enforcement officials. Infoblox, which specializes in domain name system (DNS) management and security, detected a unique DNS fingerprint from those systems that they linked to Vault Viper, making it possible for the researchers to trace and map websites and infrastructure linked to the group.

Tens of thousands of web domains, plus various command-and-control infrastructure and registered companies, are linked to Vault Viper activity, Infoblox researchers say in a report shared with WIRED. They also say they examined hundreds of pages of corporate documents, legal records, and court filings with links to BBIN or other subsidiaries. Time and time again, they came across the Universe Browser online.

“We haven’t seen the Universe Browser advertised outside of the domains Vault Viper controls,” says Maël Le Touz, a threat researcher at Infoblox. The Infoblox report says the browser was “specifically” designed to help people in Asia—where online gambling is largely illegal—bypass restrictions. “Each of the casino websites they operate seem to contain a link and advertisement to it,” Le Touz says.

The Universe Browser itself is mostly offered for direct download from these casino websites—often being linked at the bottom of the websites, next to the logo of BBIN. There are desktop versions available for Windows, as well as an app version in Apple’s App Store. And while it is not in Google’s Play Store, there are Android APK files that allow the app to be directly installed on Android phones. The researchers say multiple parts of the Universe Browser and the code for its apps reference BBIN, and other technical details also reference the company.

The researchers reverse-engineered the Windows version of the browser. They say that while they have been unable to “verify malicious intent,” elements of the browser that they uncovered include many features that are similar to those found malware and tries to evade detection by antivirus tools. When the browser is launched, it “immediately” checks for the user's location, language, and whether it is running in a virtual machine. The app also installs two browser extensions: one of which can allow screenshots to be uploaded to domains linked to the browser.

While online gambling in China is largely illegal, the country also runs some of the world’s strictest online censorship operations and has taken action against illegal gambling rings. While the browser may most often be being used by those trying to take part in illegal gambling, it also puts their data at risk, the researchers say. “In the hands of a malicious actor—a Triad for example—this browser would serve as the perfect tool to identify wealthy players and obtain access to their machine,” the Infoblox report says.

Beyond connecting to China, running key logging, and other programs that run in the background, Infoblox’s report also says multiple functions have been disabled. “The right click, settings access and developer tools, for instance, have all been removed, while the browser itself is run with several flags disabling major security features including sandboxing, and the removal of legacy SSL protocols, greatly increasing risk when compared with typical mainstream browsers,” the company’s report says. (SSL, also known as Secure Sockets Layer, is a historic type of web encryption that protected some data transfers.)

It is unclear whether these same suspicious behaviors are present in the iOS and Android versions of the app. A Google spokesperson says the company is looking into the app and confirmed it was not available through its Google Play store. Apple did not respond to requests for comment about the app.

**Connect the Dots**

The web infrastructure around the Universe Browser led the researchers back to BBIN, a company that has existed since 1999. While it was originally founded in Taiwan, the company now has a large base in the Philippines.

BBIN, which also goes by the name Baoying Group and has multiple subsidies, describes itself as a “leading” supplier of iGaming software in Asia. A UNODC report from April, which links BBIN to the Universe Browser but does not formally name the company as Vault Viper, says the firm runs several hotels and casinos in Southeast Asia as well as providing “one of the largest and most successful” iGaming platforms in the region. Over the last decade, BBIN has sponsored or partnered with multiple major European soccer teams, such as Spain’s Atlético de Madrid, Germany’s Borussia Dortmund, and Dutch team AFC Ajax.

In recent years, multiple football clubs in England’s Premier League have faced scrutiny over sponsorship by Asian gambling companies—including by TGP Europe which was owned by Alvin Chau, the chairman and founder of SunCity Group who was sentenced in January 2023 to 18 years in prison after being found guilty of running illegal gambling operations. TGP Europe left the UK earlier this year after being fined by the country’s gambling regulator. Atlético Madrid, Borussia Dortmund, and AFC Ajax did not respond to WIRED requests for comment.

The iGaming industry develops online gambling software, such as virtual poker or other online casino games, that can easily be played on the web or on phones. “BBIN Baoying is officially an online casino game developer or ‘white label’ online casino platform, meaning it outsources its online gambling technology to other sites,” says Lindsey Kennedy, research director at The EyeWitness Project, which investigates corruption and organized crime. “The only languages it offers are Korean, Japanese and Chinese, which isn’t a great sign as online gambling is either banned or heavily restricted in all three countries.”

“Baoying and BBIN are what I would call a multi-billion dollar gray-area international conglomerate with deep criminal connections, backstopping and providing services to online gambling businesses, scams and cybercrime actors,” alleges Jeremy Douglas, chief of staff at the UNODC and its former regional representative for Southeast Asia. “Aside from what has been estimated at a two-thirds ownership by Alvin Chau of SunCity—arguably the biggest money launderer in the history of Asia—law enforcement partners have documented direct connections with Triad groups including the Bamboo Union, Four Seas, Tian Dao,” Douglas says of BBIN. (When Chau was sentenced in January 2023, court documents pointed to him allegedly owning a 66.67 percent share of Baoying).

BBIN did not respond to multiple requests for comment from WIRED. The firm’s primary contact email address it lists on its website bounced back, while questions sent to another email address and online contact forms, plus attempts to contact two alleged staff members on LinkedIn were not answered by the time of publication. A company Telegram account pointed WIRED to one of the contact forms that did not provide any answers.

The Presidential Anti-Organized Crime Commission (PAOCC) in the Philippines, which tackles organized and international crimes, did not respond to a request for comment from WIRED about BBIN.

Over the last decade, online crime in Southeast Asia has massively surged, driven partially by illegal online gambling and also a series of scam compounds that have been set up across Myanmar, Laos, and Cambodia. Hundreds of thousands of people from more than 60 countries have been tricked into working in these compounds, where they operate scams day and night, stealing billions of dollars from people around the world.

“Scam parks and compounds across the region generally host both online gambling and online scam operations, and the methodology used to lure individuals into opening online gambling accounts parallels that associated with pig-butchering scams,” says Jason Tower, a senior expert at the Global Initiative Against Transnational Organized Crime.

Last week, US law enforcement seized $15 billion in Bitcoin from one giant Cambodian organization, which publicly dealt in real estate but allegedly ran scam facilities in “secret.” One of the sanctioned entities, the Jin Bei Group in Cambodia, which US authorities accused of operating a series of scam compounds, also shows links to BBIN’s technology, Tower says. “There are multiple Telegram groups and casino websites indicating that BBIN partners with multiple entities inside the Jinbei casino,” Tower says, adding that one group on Telegram “posts daily advertisements indicating an official partnership between Jinbei and BBIN.”

Over recent years, multiple government press releases and news reports from countries including China and Taiwan, have alleged how BBIN’s technology has been used within illegal gambling operations and linked to cybercrime. “There are hundreds of Telegram posts aggressively advertising various illegal Chinese facing gambling sites that say they either are, or are built on, BBIN/Baoying technology, many of them by individuals claiming to operate out of scam and illegal gambling compounds, or as part of the highly illegal, trafficking-driven industry in Cambodia and Northern Myanmar,” says Kennedy from The EyeWitness Project.

While the Universe Browser has most likely been downloaded by those accessing Chinese-language gambling websites, researchers say that its development indicates how pivotal and lucrative illegal online gambling operations are and exposing their links to scamming efforts that operate across the world. “As these operations continue to scale and diversify, they are marked by growing technical expertise, professionalization, operational resilience, and the ability to function under the radar with very limited scrutiny and oversight,” Infoblox’s report concludes.

This ‘Privacy Browser’ Has Dangerous Hidden Features

Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed PhantomCaptcha targeting organizations associated with Ukraine's war relief efforts to deliver a remote access trojan that uses a WebSocket for command-and-control (C2).
The activity, which took place on October 8, 2025, targeted individual members of the International Red Cross, Norwegian Refugee

Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed **PhantomCaptcha** targeting organizations associated with Ukraine's war relief efforts to deliver a remote access trojan that uses a WebSocket for command-and-control (C2).

The activity, which took place on October 8, 2025, targeted individual members of the International Red Cross, Norwegian Refugee Council, United Nations Children's Fund (UNICEF) Ukraine office, Norwegian Refugee Council, Council of Europe's Register of Damage for Ukraine, and Ukrainian regional government administrations in the Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk regions, SentinelOne said in a new report published today.

The phishing emails have been found to impersonate the Ukrainian President's Office, carrying a booby-trapped PDF document that contains an embedded link, which, when clicked, redirects victims to a fake Zoom site ("zoomconference\[.\]app") and tricks them into running a malicious PowerShell command via a ClickFix\-style fake Cloudflare CAPTCHA page under the guise of a browser check.

The bogus Cloudflare page acts as an intermediary by setting up a WebSocket connection with an attacker-controlled server, and transmits a JavaScript-generated clientId, with the browser taking the victim to a legitimate, password-protected Zoom meeting if the WebSocket server responds with a matching identifier.

It's suspected that this infection path is likely reserved for live social engineering calls with victims, although SentinelOne said it did not observe the threat actors activating this line of attack during its investigation.

The PowerShell command executed after it's pasted to the Windows Run dialog leads to an obfuscated downloader that's primarily responsible for retrieving and executing a second-stage payload from a remote server. This second-stage malware performs reconnaissance of the compromised host and sends it to the same server, which then responds with the PowerShell remote access trojan.

"The final payload is a WebSocket RAT hosted on Russian-owned infrastructure that enables arbitrary remote command execution, data exfiltration, and potential deployment of additional malware," security researcher Tom Hegel said. "The WebSocket-based RAT is a remote command execution backdoor, effectively a remote shell that gives an operator arbitrary access to the host."

The malware connects to a remote WebSocket server at "wss://bsnowcommunications\[.\]com:80" and is configured to receive Base64-encoded JSON messages that include a command to be executed with Invoke-Expression or run a PowerShell payload. The results of the execution are subsequently packaged into a JSON string and sent to the server over the WebSocket.

Further analysis of VirusTotal submissions has determined that the 8-page weaponized PDF has been uploaded from multiple locations, including Ukraine, India, Italy, and Slovakia, likely indicating broad targeting.

SentinelOne noted that preparations for the campaign began on March 27, 2025, when the attackers registered the domain "goodhillsenterprise\[.\]com," which has been used to serve the obfuscated PowerShell malware scripts. Interestingly, the infrastructure associated with "zoomconference\[.\]app" is said to have been active only for a single day on October 8.

This suggests "sophisticated planning and strong commitment to operational security," the company pointed out, adding it also uncovered fake applications hosted on the domain "princess-mens\[.\]click" that are aimed at collecting geolocation, contacts, call logs, media files, device information, installed apps list, and other data from compromised Android devices.

The campaign has not been attributed to any known threat actor or group, although the use of ClickFix overlaps with that of recently disclosed attacks mounted by the Russia-linked COLDRIVER hacking group.

"The PhantomCaptcha campaign reflects a highly capable adversary, demonstrating extensive operational planning, compartmentalized infrastructure, and deliberate exposure control," SentinelOne said.

"The six-month period between initial infrastructure registration and attack execution, followed by the swift takedown of user-facing domains while maintaining backend command-and-control, underscores an operator well-versed in both offensive tradecraft and defensive detection evasion."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files

The bug, tracked as CVE-2025-54957, could let attackers run code via audio files.

Researchers from Google’s Project Zero discovered a medium-severity remote code execution (RCE) vulnerability that affects multiple platforms, including Android (Samsung and Pixel devices) and Windows. Remote code execution means an attacker could run programs on your device without your permission. The flaw, found in Dolby’s Unified Decoder Component (UDC) that handles audio playback, can be triggered automatically when a device receives an audio message—no tap or user action required.

The flaw affects Android devices that use Dolby audio processing (for example, Google Pixel and Samsung smartphones) and Windows systems running Dolby UDC versions 4.5–4.13. Other vendors that integrate Dolby’s decoding capabilities may also be indirectly impacted, depending on their library updates.

Tracked as CVE-2025-54957, the problem arises from the way the Dolby UDC handles “evolution data.” In the context of Dolby Digital Plus (DD+) audio streams, evolution data refers to a specialized extension block introduced in later versions of Dolby’s codecs to support additional functionality, such as higher channel counts, advanced loudness metadata, and dynamic range adjustments.

The buffer overflow occurs when the decoder parses the evolution data and miscalculates the size of incoming packets. Because this data block can vary in length, depending on the metadata or the embedded audio mode, the faulty length calculation can lead to insufficient buffer allocation. Malformed data can then overwrite adjacent memory and potentially allow remote code execution.

Buffers are areas of memory set aside to hold data. When a buffer overflow happens, it can overwrite neighboring memory areas, which may contain other data or executable code. This overwriting is not a deliberate action by the transaction or program, but an unintended consequence of the vulnerability, which could have been prevented by bounds checking.

While not every overflow carries malicious intent, the behavior of buffer overflows can be exploited. Attackers can use them to disrupt the operation of other programs, causing them to malfunction, expose secrets, or even run malicious code. In fact, buffer overflow vulnerabilities are the most common security vulnerabilities today.

The vulnerability is exploitable by sending a target a specially crafted audio file. An attacker could make a phone or PC run malicious code inside the audio-decoding process, leading to crashes or unauthorized control. It’s similar to getting a song stuck in your head so badly that you can’t think of anything else and end up dancing off a cliff.

The abuse of CVE-2025-54957 is not a purely hypothetical case. In its official October 14 security advisory, Dolby mentions that it is:

> “aware of a report found with Google Pixel devices indicating that there is a possible increased risk of vulnerability if this bug is used alongside other known Pixel vulnerabilities. Other Android mobile devices could be at risk of similar vulnerabilities.”

Dolby did not reveal any details, but just looking at the September 2025 Android security updates, there are several patches that could plausibly be chained with this bug to allow a local attacker to gain an elevation of privilege (EoP).

**How to stay safe**

To prevent falling victim to an attack using this vulnerability, there are a few things you can do.

*   Don’t open unsolicited attachments, including sound files.
*   Install updates promptly. Dolby has released fixes that device makers must roll into firmware and OS updates—enable automatic updates where possible.
*   Use an up-to-date real-time anti-malware solution, preferably with a web component.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#android