Tag: security

Fake “Stable Genesis Airdrop” Campaign Delivering a Crypto Wallet Drainer via Phishing

AnuragLeave a comment

In this analysis, I investigated a suspicious email titled “Stable Genesis Airdrop: Claim for Eligible Wallets Now Open”, which redirected victims to the domain:

hxxps://airdrop.stablereward[.]claims

Through sandbox execution, traffic inspection, and UI analysis, the campaign was confirmed to be a high confidence cryptocurrency phishing operation designed to steal wallet recovery phrases and authorize malicious blockchain transactions.

The site impersonates a fictitious project named “Stable”, abuses Cloudflare protection to evade automated detection, and deploys a fake wallet connection workflow that escalates into seed phrase harvesting.

Key Red Flags in Email Body

  • Claims gas fees are paid in USDT (technically incorrect for Ethereum)
  • Vague “Stable network” with no whitepaper, GitHub, or official domain
  • No verifiable project presence on CoinGecko or CoinMarketCap
  • Redirects to a non-standard .claims TLD

Domain and Infrastructure Analysis

Newly registered domains + crypto airdrops = classic scam pattern

WHOIS records show that the domain stablereward[.]claims was registered very recently on December 8, 2025, with an update made on December 17, 2025. The domain uses Cloudflare name servers.

Initial Page

The presence of a Cloudflare “Verify you are human” gate indicates an intentional attempt to restrict automated access, as it effectively blocks crawlers and many security scanners from analyzing the site’s content. This technique is commonly used by malicious or suspicious sites to evade sandbox detection and fingerprinting, ensuring that payloads or scam pages are only served to real users while analysis environments are filtered out.

Main Landing Page

The site displays fabricated statistics such as 142,847 eligible wallets and a 50 million token allocation to create a false sense of scale and legitimacy. These exaggerated numbers are paired with a prominent “Connect Wallet” call-to-action designed to lure users into authorizing wallet access

Wallet Interaction And Credential Harvesting

It lists:

  • MetaMask (recommended)
  • Trust Wallet
  • Coinbase Wallet
  • Ledger
  • Trezor
  • Phantom
  • OKX
  • Rabby
  • Uniswap Wallet

The most critical malicious behavior is observed when the site prompts users to “Import Wallet, Enter your 12-word recovery phrase” instead of invoking a legitimate wallet extension.

JavaScript Anti-Analysis Techniques

The observed JavaScript snippet is a deliberate anti-analysis technique used to disrupt inspection and automated execution. By invoking the debugger statement, the script forces execution to pause whenever browser developer tools are open, effectively halting code flow during analysis. This behavior can break automated sandboxes and dynamic analysis environments, compelling security analysts to manually bypass or modify the script before further investigation can continue.

Network Traffic Analysis

The site silently connects to multiple blockchain RPCs:

  • rpc.ankr[.]com/bsc
  • bsc-dataseed*[.]bnbchain.org
  • binance[.]nodereal[.]io

These indicators suggest that the operation is designed with multi-chain capability, targeting both Ethereum and Binance Smart Chain (BSC) users to maximize reach. Such setups typically perform wallet balance enumeration, NFT discovery, and malicious token approval requests that enable silent asset draining. The overall behavior closely matches well-known wallet drainer kits.

Attack Chain Summary

Confirmed Scam

All observed indicators clearly confirm malicious intent. The request for a wallet recovery phrase is explicitly malicious, the newly registered domain presents a high risk profile, and the so called project shows no verifiable legitimacy. On chain interaction analysis indicates RPC based draining behavior, while the presence of anti debugging JavaScript further reinforces deliberate evasion of analysis.

Indicators of Compromise – Domains

  • airdrop.stablereward[.]claims
  • stablereward[.]claims

NanoCore RAT Malware Analysis

Anurag1 Comment

NanoCore is a well-known Remote Access Trojan (RAT) used by threat actors for espionage, data theft, and system control. In this post, I will analyze a NanoCore RAT sample with the hash 18B476D37244CB0B435D7B06912E9193 and explore its behavior, obfuscation techniques, and deobfuscation process.

File Hash MD5: 18B476D37244CB0B435D7B06912E9193
Filename: Sigmanly_0bbff62a45fc9776575ed143af2d7db332e2781d7e3de56eb3ff48c25d0c7b46
File size: 203.00 KB
NanoCore Client Version: 1.2.2.0
VirusTotal Detection Score: 64/72
File download: any.run

Static Analysis

Initial Inspection

Using Detect It Easy (DIE), I identified that the sample is a .NET executable and employs Eazfuscator obfuscation to hinder analysis.

Deobfuscation

To analyze the code effectively, I used de4dot to deobfuscate the executable. de4dot successfully restored readable class and method names, making it easier to understand the malware’s logic.

Below is how the deobfuscated code appears now.

Strings Analysis

Using SysInternals Strings, I extracted various strings from the binary and found the following indicators:

  • “Connecting to {0}:{1}..”
  • “/create /f /tn “{0}” /xml “{1}””
  • “schtasks.exe”
  • “CreateScheduledTask”
  • “/run /tn “{0}””
  • “RunScheduledTask”
  • “Host: {0}”

These strings indicate that the malware uses Windows Task Scheduler for persistence and C2 communication.

Dynamic Analysis

To gain deeper insights, I used dnSpy to debug the code and analyze its behavior in a controlled environment.

Execution Flow Analysis

Startup Routine: NanoCore attempts to achieve persistence by copying itself to a hidden directory and creating a registry entry.

  • During dynamic analysis, I found that it adds saasmon.exe under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key.
  • It also creates a folder at C:\Program Files (x86)\SAAS Monitor to store its components.
  • Another folder is created at C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED, where the SAAS Monitor folder is placed, and saasmon.exe is dropped.

C2 Communication: The RAT connects to a remote Command-and-Control (C2) server, enabling an attacker to issue commands.

  • Wireshark Analysis: The malware attempts to establish connections to:
    • simpletest.ddns.net (Potential C2 domain)
    • 8.8.8.8 (Google DNS, likely used for connectivity checks)
    • Uses port 9632 to communicate with the given IP.
  • Plugin System: NanoCore features a modular plugin system, allowing attackers to load additional capabilities dynamically.
  • Installed Plugins: During dynamic analysis, I found that NanoCore installed the SurveillanceEx plugin, which enhances its spying capabilities.

  • Data Exfiltration: Captures keystrokes, screenshots, and clipboard data, sending them to the attacker.
  • It stores keylogs and clipboard data in C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED\logs\users\kbxxxxx.dat.

In the image above, you can see that it is storing clipboard data along with the commands and text I was entering in applications.

Task Scheduler Analysis: The code contains functions to create a scheduled task using schtasks.exe, but during dynamic analysis, no scheduled task was actually created. Below is an image of the relevant code snippet that shows its intent to use Task Scheduler for persistence.

Indicators of Compromise (IOCs)

  • File Hash: 18B476D37244CB0B435D7B06912E9193
  • Network Indicators: (Extracted from dynamic analysis)
    • C2 Domain: simpletest.ddns.net
    • IP Contacted: 8.8.8.8 (Google DNS, may be used for connectivity checks)
    • Port: 9632
  • Registry Changes:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\saasmon.exe
  • File System Changes:
    • C:\Program Files (x86)\SAAS Monitor\saasmon.exe
    • C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED\SAAS Monitor\saasmon.exe
    • C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED\logs\users\kbxxxxx.dat (Stores keylogs and clipboard data)

Conclusion

NanoCore RAT remains a persistent threat due to its modularity and extensive feature set. Through deobfuscation with de4dot and debugging with dnSpy, I was able to uncover its core functionalities. Defenders should stay vigilant by leveraging threat intelligence, monitoring network traffic, and applying proactive security controls.

If you found this analysis helpful, feel free to share and stay tuned for more in-depth malware research!

Fake SBI Reward APK Targets Victims with Trojan via WhatsApp

Anurag5 Comments

Cybercriminals continue to exploit unsuspecting users through cleverly crafted phishing campaigns. Recently, I encountered a forwarded message in a WhatsApp group that immediately raised suspicion. The message read as follows:

Dear Valued Customer,

Your SBI BANK 🏦 Reward Points (Rs 9980.00) will expire today. Now Redeem through SBI BANK🏦 REWARD App install & Claim Your Reward by Cash Deposit Your Account.

Thank-You 👇 team-SBI BANK

Attached to the message was an Android APK file, supposedly the “SBI BANK REWARD App,” which promised users a reward of Rs. 9980. Given the prevalence of similar scams, I decided to investigate the file’s legitimacy through static and dynamic analysis.

Initial Observations

  1. Suspicious Language and Presentation:
    • The message contained grammatical errors, with misspellings like “Value Customer” instead of “Valued Customer.”
    • Overuse of emojis (🏦 and 👇) and inconsistent formatting further indicated it was likely a scam.
  2. Hash Check:
    • I extracted the file hash and searched for it on VirusTotal (VT) and Any.Run. Surprisingly, no results were available for this hash.
    • This indicated that the file was either new or not widely distributed yet.

File Details

File Hash: 7f6e053f3551db9cb209fa5c05952a3e
File Type: Android .apk
File Size: 4.20MB
File Name: SBl REWARDZ POINT 1.apk

Static Analysis

Using JADX tool, I decompiled the APK to analyse its internal structure and code. Below are some findings:

Manifest Analysis

The APK requested excessive permissions, including access to SMS, Contacts, Call Logs, and Storage. These are common indicators of malicious intent.

The AndroidManifest.xml file revealed several critical points:

The manifest file defines activities and services such as BackgroundService, SmsReceiver, and BootBroadcastReceiver, which are typically used in malicious apps to intercept SMS and run processes at system boot.

Publicsuffixes.gz File

During the analysis, I found a file named publicsuffixes.gz. Upon extraction, it contained unrelated Chinese text, which did not directly link to the malicious APK but raised questions about the APK’s origin or development process.

Below is the translation of Chinese text from the publicsuffixes file. 

The 1989 Tiananmen event was held in Beijing, capital of China, on July 28, 2013. The event was held on July 28, 2013. The 1989 event was held on July 28, 2013. The event was held on July 28, 2013. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and young people in the middle of the Yangtze River, and the rise of middle-aged and young people in the middle of the Yangtze River. The 10,000-square-foot (1,000-square-foot) 2,000-square-foot (1,000-square-foot) 2,000-square-foot (1,000-square-foot) 2,000-square-foot (1,000-square-foot) 4,000-square-foot (1,000-square-foot) 2,000-square-foot (1,000-square-foot) 4,000-square-foot (1,000-square-foot) The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and young people in Hong Kong, and also the rise of middle-aged and young people in Hong Kong. The 20th anniversary celebration of the founding of the Peoples' Republic of China, the 20th anniversary celebration of the founding of the Peoples' Republic of China, and the 20th anniversary celebration of the founding of the Peoples' Republic of China, will be held on the 14th of the 14th anniversary celebration of the founding of the Peoples' Republic of China. The 20th anniversary celebration of the founding of the Peoples' Republic of China, the 20th anniversary celebration of the founding of the Peoples' Republic of China, and the 20th anniversary celebration of the founding of the Peoples' Republic of China, will be held on the 21st anniversary of the founding of the Peoples' Republic of China. I sincerely hope that you will not be disappointed with the results of this project. I hope you will be happy with the results of this project. In this regard, the development of the industry has entered a new stage, and the development of the industry has entered a stage of rapid development. The 1984 World Cup has been held in Hong Kong since 1989. The 1984 World Cup has been held in Hong Kong since 1989. The 1984 World Cup has been held in Hong Kong since 1989. The 1984 World Cup has been held in Hong Kong since 1989. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and young people, and the rise of the middle-aged and young people. The wisdom of the people is the same as the practice of the traditional Chinese medicine. Customs of the West⹭Customs of the West⹭Customs of the West⹭Customs of the West⹭Customs of the West⹮Customs of the West⹮Customs of the West⹰Customs of the West⹲Customs of the West⹲Customs of the West⹳Customs of the West⹴Customs of the West⹴Customs of the West⹵Customs of the West⹵Customs of the West⹶Customs of the West⹺Customs of the West⹺Customs of the West⹺Customs of the West⹺Customs of the West⹮Customs of the West⹲Customs of the West⹤Customs of the West ⹢The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and young, and the rise of middle-aged and young people. It was a period of rapid development, and it was a period of rapid development. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and young people in Hong Kong, and also the rise of middle-aged and young people in Hong Kong. ⹯ The animal husbandry system is a system that allows animals to be picked up and eaten by locals. ⹯ The animal husbandry system is a system that allows animals to be picked up and eaten by locals. ⹯ The animal husbandry system is a system that allows animals to be picked up and eaten by locals. ⹯ In this regard, the development of the Internet has become a new trend, and the development of the Internet has become a new trend. In the future, the development of the Internet will continue to accelerate. The development of the Internet will continue to accelerate. ⹴The wisdom of the people is the wisdom of the people. The wisdom of the people is the wisdom of the people. The wisdom of the people is the wisdom of the people. The wisdom of the people is the wisdom of the people. Hunting 牶敩汬 considered捥⹡knock溇橩 contention玱慦晩挭捯湴牯 nitrogen 慥牯੡楲⹭畳 enemy洊慩狠敳੡楲 volume慦琮慥牯੡楲The scenery is the best. The lintel pile is the only one that has been built. The lintel pile is the only one that has been built. The lintel pile is the only one that has been built. The lintel pile is the only one that has been built. The lintel pile is the only one that has been built. I am alone, I am worried about my career, I am happy to be alone, I am alone.瀊怂楳 Zhuang浡⹴潫祯⹪怊怂楴愮怂楴愮橰੡歩瑡⹪瀊怂Step alone椤桯歫慩真⹪怊怂浵潫瑡⹮溇The 2014 World Economic Forum has selected 100 million nitrogen-containing foods and 10 million nitrogen-containing foods for sale in Hong Kong, the 2014 World Economic Forum, and the 2014 World Economic Forum. The enemy has a very strong sense of responsibility, and it is not easy to be irritated by the enemy. It is not easy to be irritated by the enemy. The 1988 Beijing International Expo was held in Beijing, and the 1988 Beijing International Expo was held in Beijing. The 1988 Beijing International Expo was held in Beijing, and the 1988 Beijing International Expo was held in Beijing. The 1988 Beijing International Expo was held in Beijing, and the 1988 Beijing International Expo was held in Beijing. The cup is the only cup that can be picked up by the owner. The cup is the only cup that can be picked up by the owner. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle class in Hong Kong, and also the rise of middle class values, including the middle class values ​​of Hong Kong and Macau. The 1980s and 1990s, which was a very important era for the American people, saw the rise of the middle-aged man who was about to enter the country and become a model for the American people. The 1980s and 1990s, which was a very important era for the American people, saw the rise of the American people, and also saw the rise of the American people. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle class in the 1980s and 1990s, and also the rise of middle class values ​​in the 1990s and 1990s. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged man, who was about to enter the city of Beijing and was known as the "Eighteenth Century". This was the first time the 1980s and 1990s had reached a peak of 1980s and 1990s. The material is made of natural materials, and the material is made of natural materials. The material is made of natural materials, and the material is made of natural materials. The bridge is the bridge between the two cities, and the bridge between the two cities is the bridge between the two cities. The 2020 Beijing International Airport has been a major port for the Chinese government to provide a variety of transportation services to the public, and the ... The gray house is the only one that can be restored ੡ash狞洴⹣tan੡灲敮浡present捬੡welding⹩把慱牥汬抔敡物畭⹭畳enemy把慱畩contamination⹩琊慲੡爮捯The 1980s and 1990s, which was a very important time for the American people, was a very important time for the American people. The 1980s and 1990s, which was a very important time for the American people, was a very important time for the American people. The 10,000 most common nitrogen-containing foods are found in the lungs, lungs, and lungs of animals. The 20th anniversary celebration of the founding of the Peoples' Republic of China, the 20th anniversary celebration of the founding of the Peoples' Republic of China, and the 20th anniversary celebration of the founding of the Peoples' Republic of China, have been held in the capital. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and elderly people, and also the rise of middle-aged and elderly people. The 100 most common words in English are used to describe the meaning of the word " ' ... The company has a unique business model, a unique business model, a unique business model, and a unique business model. The only thing you can do is to take a walk through the garden and learn about the garden.獡獳楮楯渮浵獥畭੡獳楳椮浵獥畭੡獳渮汫੡獳漮扪੡獳殍੡獳漮fold੡獳殮enemy⹯木੡獳殙੡獳漮杰੡獳漡੡獳殭੡獳殮੡獳漮湣੡獳漮੡獳棣楡瑥猊歭獯捩楯渮慥The tidal flat is the tidal flat of the gorge. The tidal flat is the tidal flat of the gorge. The tidal flat is the tidal flat of the gorge. The tidal flat is the tidal flat of the gorge. ⹢爊牮hunt杩⹫氪氪扮敹੡甊浵⹥甮潲朊恵洴楯元慵浵੡畤楢汥੡畤楯੡畤湥桡汮⹮溇慵杵獴潷⹰氊浵捴潷⹰氊浵据堂੡畲殮堂੡畲繤⹮溇慵牳歯札桯 dirt The 100 most common types of AIDS are found in the healthcare industry, and the 100 most common types of AIDS are found in the healthcare industry. I have been waiting for an hour for a while, and I have been waiting for an hour for a while. I have been waiting for an hour for a while, and I have been waiting for an hour for a while. We must ensure that every effort is made to ensure that the environment is healthy and that the people are happy. We must ensure that every effort is made to ensure that the environment is healthy and that the people are happy. The 1989 Tiananmen event was held at the 41st Beijing International Airport in Beijing, China, and it was held on the 4th Beijing International Airport in Beijing. The 1989 Tiananmen event was held at the 4th Beijing International Airport in Beijing, China, and it was held on the 4th Beijing International Airport in Beijing. The urn was full of ashes, and the urn was full of ashes. It was a very beautiful place, full of ashes, and it was very beautiful. It was a very beautiful place, full of ashes, and it was very beautiful. The 2014 National Development and Reform Commission has launched a series of targeted measures to improve the quality of life of enterprises and enterprises, and has also launched a series of targeted measures to improve the quality of life of enterprises. Independent business people should pay attention to the following aspects: The 1989 Tiananmen event was held in Beijing, capital of China, on July 28, 2012. The 1989 Tiananmen event was held in Beijing, capital of China, on July 28, 2012. The 1989 event was held in Beijing, capital of China, on July 28, 2012. The scenery is so beautiful that it can be seen that the scenery is so beautiful that it can be seen that the scenery is so beautiful that it can be seen that the scenery is so beautiful that it can be seen that the scenery is so beautiful that it can be seen that the scenery is so beautiful that it can be seen that The 20th anniversary celebration of the founding of the Peoples' Republic of China, was held on the 21st anniversary of the founding of the Peoples' Republic of China. It was held on the 21st anniversary of the founding of the Peoples' Republic of China, and it was held on the 21st anniversary of the founding of the Peoples' Republic of China. In this regard, the author has selected the following suggestions: In the future, the development of the industry will continue to accelerate, and the development of the industry will continue to accelerate. In the future, the development of the industry will continue to accelerate, and the development of the industry will continue to accelerate. ⹭畳敳扥敮楴� ... The 1984 World Cup has been held in Beijing for 10 years, and the 1984 World Cup has been held in Beijing for 10 years. The 20th anniversary celebration of the founding of the Peoples' Republic of China was held on the 21st of July in Beijing. The 20th anniversary celebration of the founding of the Peoples' Republic of China was held on the 21st of July in Beijing. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle class in the 1980s and 1990s, and also the rise of middle class values ​​in the 1990s and 1990s. Tan ੢楺੢楺⹡琊Expansion of species慺੢楺⹢Wu Expansion of species捹੢楺⹤Quan of expansion of species ੢楺⹦樊Expansion of species杬੢楺⹩搊Expansion of species歩੢楺⹬猊 expand kind 浶੢楺⹭眊 expand kind 湩੢楺⹮爊expand fire ੢楺⹰氊expand kind 灲੢楺⹳猊expand Ma੢楺⹴爊The development of the industry has been continuously improved, and the development of the industry has been continuously improved. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle class in Hong Kong, and also the rise of middle class values, and also the rise of middle class values ​​in the 1990s and 1990s. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle-aged and middle-aged man, and the rise of middle-aged and middle-aged women. It was a period of rapid development, and the rise of middle-aged and middle-aged women was a period of rapid development. The 1980s and 1990s, which was a period of rapid development, saw the rise of the middle class in Hong Kong, and also the rise of middle class values, such as the middle class values ​​of Hong Kong and Macau. The bathtub is bathed in the hot spring water, and the hot spring water is bathed in the hot spring water. The hot spring water is bathed in the hot spring water, and the hot spring water is bathed in the hot spring water.

Strings Analysis

Hardcoded URLs were found pointing to command-and-control (C2) servers.
References to financial APIs and terms like “OTP” and “Banking” suggested a focus on stealing sensitive data.

libiotusintouch.cpp.so File

The file was decompiled using GHIDRA, revealing the following Remote URLs:

The app sends detailed device information, including:

  • Device manufacturer and model
  • Android version
  • Mobile ID
  • SIM details
  • Mobile number

Additionally, I observed the name “Kritika” hardcoded in the log statements, potentially indicating the developer or a test/debugging artifact.

The following code snippet exemplifies the exfiltration of this data:

Dynamic Analysis

I executed the APK in a controlled environment using an Android emulator and monitored its behavior with HTTP Toolkit and Wireshark. Here’s what I uncovered:

Network Traffic

Analyzing network traffic with Wireshark revealed that, upon installation, the APK immediately established connections to previously identified URLs.

Communication via wss://socket.missyou9.in included the following parameters:

The persistent communication over WebSocket (wss://socket.missyou9.in) could be classified as beaconing behavior, as it periodically updates the server with device status and other details.

Keylogging Behavior

The application displayed phishing screens mimicking legitimate SBI login pages to harvest user credentials.

Upon providing information, it connects to superherocloud.com and upload the data.

  • Username, password and mobile number.
  • Profile password and DOB.
  • Full name, Account number and CIF.
  • Debit/Credit card number, Expiry date, CVV number and ATM pin.
  • OTP

Below screenshot refers to API calls captured during analyzing app.

The following code snippet submits device information to the endpoint: https://superherocloud.com/api/mobile/add.

After submitting the file to VirusTotal, it was flagged by 25 out of 67 antivirus engines as malicious. The detection names varied, but many indicated trojan-like behavior. The file’s VT analysis can be accessed here

Domains

The domain https://socket.missyou9.in was flagged by 2/94 vendors on VirusTotal, indicating potential malicious activity. Moreover, this domain is reportedly associated with other APKs impersonating different banking apps to conduct similar malicious campaigns. Also this domain is registered 5 month ago.

The domain https://superherocloud.com, used as the endpoint for exfiltrating device information, was registered only two months ago.
Despite its short lifespan, the domain has not yet been flagged as malicious on public threat intelligence platforms.

Implications of the Attack

This campaign is a clear attempt to steal sensitive user data, including banking credentials, debit/credit card information and OTPs, to perform fraudulent financial transactions. What makes it particularly dangerous is the exploitation of trust through the SBI branding and the urgency implied in the message.

Conclusion

This incident underscores the importance of vigilance in the face of cyber threats. While this particular APK was quickly identified as malicious, many others might slip through the cracks, targeting unsuspecting users. By raising awareness and adopting basic cybersecurity hygiene, we can mitigate the risks posed by such scams.

Stay safe and always think before you click!

[UPDATE]

I have uploaded the APK file to Malshare. You can download it using the link below.

SBl REWARDZ POINT 1.apk

Understanding and Identifying a Common Phishing Scam: “Your Device is Hacked”

Anurag2 Comments

Phishing emails continue to be a common and sophisticated way for cybercriminals to extort money and sensitive information from unsuspecting individuals. A recent example is an alarming email with the subject line “Your device is hacked,” which tries to create panic, demanding a Bitcoin payment to avoid further consequences.

Subject: Your device is hacked
 
Good day!

I have to bring something urgent to your notice - you are facing a major challenge. However do not worry just yet; I want you to hear me out, because there's invariably a way to resolution.

Right at this moment, you are subject to the examination of an global web of intruders, and that is a condition that infrequently ends favorably for anyone participating. You may have been informed of groups like Anonymous, nevertheless I guarantee you, we're working on an completely different scale - far beyond what they can offer. Our vast global community comprises countless of proficient experts, each playing a critical role.

Some of our team concentrate on breaching corporate and state systems, while others work stealthily with security agencies on classified missions. My role involves addressing issues tied to clients like you, which is why I am reaching out now.

You might be pondering, "Who are these individuals?" The response is clear: we're concentrated on those with a penchant for alternative and contentious mature content - material that many would deem unsuitable. Nevertheless evidently, you don't fit that type, right?

Allow me to elucidate how I found out this circumstance. A few of weeks ago, we installed stealthy spyware on your device, allowing us access to each your gadgets, including your cellular device. It was straightforward; one of those seemingly harmless pop-ups on private sites served as our entry point.

The good news is you still have a chance to take command of this issue. Let's discuss how you can guard yourself and regain your mental tranquility. Your next moves matter - act intelligently.

We both understand that many people engage in common or even more severe adult content - nothing uniquely unique about that. Nevertheless, the content you've decided to watch transcends a threshold into troubling area.

We've accessed your mobile device and laptop cameras and captured footage of you engaging in acts that are quite debatable. This includes intimate images of you along with the explicit material you were observing.

But remember, there's invariably a path to redemption, including for those who've wandered far. Today, you are blessed because my purpose isn't to inflict pain; I'm simply concentrated on a financial resolution.

This is an opportunity for you to assert control of the situation. Let's talk about how we can resolve this issue cordially.

Here is your rescue: you need to convey $1300 USD in Bitcoin to this digital currency address:
1JxQSshVKAqB9JxuUjmdEDrPN6TM7PzK9D

Let's confront it, that's a fairly insignificant sum in today's society.

I'm reaching out you with an urgent communication that demands your swift attention. You have just 12 hours to complete the payment. Do not delay - act now to safeguard yourself.

As soon as I receive of your transaction, I'll without delay remove all compromising content and fully turn off our computer system. I guarantee you, I honor my promises, even with those who may not fully earn confidence; this is strictly professional.

Nevertheless, if compensation is not received, I will be forced with no choice however to share the damaging videos with everyone in your network - companions, kin, coworkers, associates - everybody. Imagine the unrecoverable damage to your image. This is a blemish that can not ever be fully removed.

The outcomes of doing nothing will not only blemish your identity but could bring you to a point of hopelessness. It is essential to act swiftly.

If you're unfamiliar with digital currency, don't fret - it is easy. A quick search for "cryptocurrency marketplace" will show you how to complete a payment using your credit card. Given your virtual presence, you seem able of handling this with simplicity. Keep in mind, if you've competently traversed the depths of the online world before, this will be no hurdle for you.

Some key reminiscents to reflect on:

- Don't reply to this e-mail. This address is disposable, and any feedback will serve no function.

- Forget about law enforcement. The moment I detect any communication to the police, I will release the data without hesitation.

- Do not attempt to restore or dispose of your gadgets. Such steps are ineffective. My monitoring capabilities mean that I can track your all step.

- It's unfortunate that conditions have brought us here; you could have prevented this situation with more caution online. Be mindful in the future - what seems trivial today can have disastrous consequences tomorrow.

This message is intended as a last notification. Your response in the next 12 hours will determine the consequence of this situation.

Remember, the countdown is running, and the decision is in your control.


Postscript:

If your friends and colleagues were to discover the unethical things you engage in, it could severely harm your relationships and standing. Faith, once damaged, is hard to rebuild, and you might be viewed through a filter of criticism and confusion. This exposure could lead to social isolation, as people may distance themselves from you, being concerned about connection with your behaviors. The taint associated with atypical actions may cause isolation, misinterpretations, or even a damaged image that could hinder your profession possibilities. It is essential to think about the long-term effect this could have on your existence and the connections you value.

In this blog, let’s break down this email and highlight key indicators that mark it as a phishing scam. Recognizing these elements can help you identify similar threats and protect your digital safety.

1. Emotional Manipulation and Psychological Triggers

The first tactic cybercriminals employ is fear. By threatening exposure or embarrassment, they manipulate emotions to push victims into hurried actions. This email opens with an intimidating statement: “you are facing a major challenge.” It follows up with false claims about an elaborate network of hackers monitoring your devices, pushing the recipient into a state of urgency and vulnerability.

2. Specific, Yet General Accusations

The email insinuates that it has incriminating content recorded from the victim’s devices, which could be used for public exposure. However, no specific details or personal information are provided, a common tactic in phishing schemes to keep the accusation vague but ominous. The email accuses the recipient of accessing “controversial mature content” without citing any actual details, casting a wide net to increase its chances of striking fear in potential victims.

3. Unverifiable Technical Claims

Phishing scams often include technical jargon or exaggerated claims to make the message sound more credible. This email alleges that “spyware” was installed through “harmless pop-ups” and implies constant monitoring of all devices. In reality, no malicious software can be this all-encompassing or omniscient. Malware usually requires direct or indirect user permission, such as through a fake download or link, to infiltrate systems.

4. Demand for Payment in Bitcoin

Most phishing emails demand payment in Bitcoin, as cryptocurrency transactions are anonymous and difficult to trace. Here, the email demands $1,300 in Bitcoin within 12 hours, setting a time frame that plays on urgency and limits a recipient’s chances to think critically or consult others.

The specified BTC address has not shown any transactions to date, which thankfully indicates no victims so far.

5. Warnings Against Law Enforcement and No Replies

The sender advises against contacting the police or even responding to the email. By isolating the victim from potential help, the scammer creates a psychological barrier, further increasing the chances of compliance. Additionally, they specify that the email is from a “disposable address,” which reinforces that any reply will be futile.

6. Technical Red Flags in the Email Header and Sender Information

A quick analysis of the email header and sender address reveals additional signs of phishing. Although the sender appears as “Lewis Ray info[@]pdparis.com,” the header details a different server (hostglobal.plus) and an untrustworthy IP address with a VirusTotal score of 10/94. This indicates that the IP has previously been associated with malicious activity, solidifying suspicions that this email is not legitimate.

The email header above indicates that the message was received from IP address 78[.]153[.]140[.]175, which has a VirusTotal score of 10/94.

Protective Steps to Take

  • Do Not Reply or Pay: Responding or paying emboldens attackers and makes you a potential target for future scams.
  • Check Your Security: Ensure that your antivirus and software updates are current. Run scans to ensure no malware or spyware is on your devices.
  • Educate and Stay Vigilant: Familiarize yourself with common phishing tactics and educate family or colleagues who may be less aware of cybersecurity risks.

Final Thoughts

Emails like this serve as a reminder of the importance of staying informed about phishing tactics and practicing good cyber hygiene. By recognizing the tactics outlined in this scam email, you can better protect yourself and avoid falling victim to extortion attempts. Remember, if something feels suspicious, it probably is—take a moment to verify, breathe, and never rush to respond to threats like these.