i used to break things.
Joined May 2013
- Tweets 1,146
- Following 488
- Followers 682
- Likes 1,191
355 Photos and videos
F3D ツ retweeted
Apr 10
[1/4] 🚨 We tracked Mirax, a new Android RAT and banking malware operating as a private MaaS. First promoted on underground forums in December 2025, it's been actively targeting Spanish-speaking countries through Meta ad campaigns, reaching over 200,000 accounts.
1
4
7
292
🥶
1 Aug 2025
(1/6) 🚨 Our team tracked a large-scale MaaS operation that deployed PlayPraetor to infect over 11,000 Android devices globally. PlayPraetor is an Android RAT that facilitates On-Device Fraud (ODF) by giving operators complete real-time control over compromised devices.
130
F3D ツ retweeted
18 Apr 2025
(1/5)‼️ Our team has dissected "SuperCard X," a novel Android malware leveraging NFC relay for fraudulent cash-out. This MaaS campaign, attributed to Chinese-speaking threat actors, presents an intriguing case study in evolving mobile fraud techniques.
1
12
32
7,171
[Update] All the messages from their official TG channel have been removed 🧐
4 Dec 2024
[1/7] 🚨 We tracked a new Android banking trojan fraud operation dubbed DroidBot. We were able to observe active campaigns against UK, Italy, France, Turkey, Spain and Portugal targeting 77 distinct entities, including banking institutions and crypto-exchanges.
1
236
Our latest investigation 🇨🇳
4 Nov 2024
[1/6] 🚨We tracked a new Android banking trojan fraud operation dubbed ToxicPanda, which has intriguing connections with tgToxic. According to our investigation, TAs are currently targeting European and LATAM countries.
1
1
294
icon-sha1: 18a1e1aaf557cef773b7987e7653c43f309e9432 👀
8 Oct 2024
‼️ (1/5) On October 7th, 2024, we identified a new dropper associated with the TeaBot banking trojan within the Google Play Store. The initial stage of infection originates from the following application (com.mastercreativestudio.documanagerandpdf):
200
F3D ツ retweeted
10 Sep 2024
(1/5) 🚨The Cleafy TIR team identified some campaigns involving a new variant of the Android malware TrickMo, incorporating new anti-analysis mechanisms. The variant uses malformed ZIP files and JSONPacker, and is distributed via a dropper disguised as the Google Chrome browser.
1
4
11
714
CIS allowed? 👀
#Copybara
#Android #Trojan #Malware
@malwrhunterteam @cryptax @LukasStefanko
@Cyber_O51NT @bl4ckh0l3z
@JAMESWT_MHT @500mk500
@banthisguy9349
#Copybara
From: https://scarica-app[.]icu/ZTk1ODliMTAwNTdiYjQwYjJjZDVmMDg2OTEzOTM5MWY/MyBNL.apk
Live: "http://80.251.153[.]96:51144/injectionsupload/
4
455
F3D ツ retweeted
26 Jun 2024
Cleafy's Simone Mattia (@@simone_mattia_) & Federico Valentini (@f3d__) analyse a new fraud campaign involving the updated variant of the Medusa (TangleBot) Android banking trojan. cleafy.com/cleafy-labs/medus…
10
9
1,991
F3D ツ retweeted
25 Jun 2024
‼️ In May 2024, we tracked new fraud campaigns involving the Medusa (TangleBot) banking trojan, which had been under the radar for almost a year. Five different botnets were identified, targeting previously known country targets and new ones, such as France 🇫🇷 and Italy 🇮🇹
(1/4)
1
7
10
790
F3D ツ retweeted
8 May 2024
‼️ We identified a new TeaBot dropper that sneaked into the official Google Play Store. The initial stage of infection originates from the following application: QR Reader & File Manager (com.appandutilitytools.fileqrutility). Right now, we’re counting over 10K installations.
1
3
12
1,601
F3D ツ retweeted
2 May 2024
(1/4)🚨An active Copybara campaign has been intercepted.
📝TTPs:
smishing -> vishing -> .apk installation -> ODF (On-Device fraud) 💸
TAs created multiple Copybara builds disguised by various banking institutions, depending on each victim’s.
1
2
7
437
Is anyone aware of what is happening to @apklabio? Many samples are missing (including all the samples I shared on the platform 😮💨).
Can't find any news or updates from @AvastThreatLabs
cc @noexceptcpp @0xabc0 @500mk500 @Rolf_Govers @alberto__segura
2
1,016
F3D ツ retweeted
6 Mar 2024
Cleafy researchers intercepted an ongoing banking fraud campaign against users in the UK, Spain & Italy. Copybara presents all the functionalities for performing On-Device Fraud and initiating unauthorised money transfers directly on the victim's device. cleafy.com/cleafy-labs/on-de…
3
35
48
10,758
New technical analysis👇🏻
4 Mar 2024
(1/4) 🚨 Starting in 2023, we intercepted an ongoing banking fraud campaign against UK, Spain, and Italy. TAs is leveraging a mix of Social Engineering and the usage of Copybara, an Android banking trojan.
Report: cleafy.com/cleafy-labs/on-de…
#android #malware #fraud #copybara
1
176
Another banking fraud operation sneak into @GooglePlay 👇🏻
19 Feb 2024
🚨 A distribution of TeaBot banking trojan was detected. The initial stage of infection originates from an application available on the Google Play Store. This application was intercepted on 14th February 2024, with 10K installations, and during the last weekend, it reached 100K
2
178
i wonder how many analysts will try the same on the next waves 😂
ursnif is dead, long live ursnif!
24 Nov 2023
⚠️This is #crazy ⚠️
We met the #Ursnif #Gang via chat
after client infection
🔥app.any.run/tasks/d016595f-6…
1
210
#NoName057 is targeting Italian banking institutions
1 Aug 2023
🚨 Our researcher @viuleeenz found a new wave of DDoS attacks against multiple Italian banking institutions. These attacks appear to be linked with #DDosia and #NoName057(16).
Read here for more technical information 👇🏻
517
New report on SpyNote 👇🏻
31 Jul 2023
🚨 Our technical analysis on SpyNote, a formerly Android Spyware recently adopted to perform bank frauds via Account Takeover attacks (ATO) and on-device fraud (ODF) against customers of several European banks.
Full report: cleafy.com/cleafy-labs/spyno…
#android #botnet #cleafy
411