Filter
Exclude
Time range
-
Near
Gameel Ali 🤘@MalGamy12
Apr 18
🦅 New Android challenge: EagleSpy Reverse a real SpyNote-based trojan disguised as Vietnam's VNeID gov app. 📱 APK reversing 🔍 15 questions 🧬 2-stage dropper 🔐 AES key hunt 🌐 C2 decoding 🔗 malops.io/challenges/eaglesp… 💬 discord.gg/hnXXB38xzK By @P4nd3m1cb0y
10
38
2,633
Cleafy LABS@cleafylabs
Apr 15
[1/4]🚨 APK Malformation is no longer a niche evasion tactic; it is now a standard in the Android MaaS ecosystem. Observed in 3,000 samples across families like TeaBot, TrickMo, and SpyNote, it keeps malware fully functional while blinding static analysis tools.
1
13
20
1,878
OSINT LIBYA@Unknwon_141
Apr 8
Replying to @MTailamun
I analyzed the sample in a sandbox environment. A preliminary reverse engineering assessment indicates that it is a low-quality variant, closely resembling the SpyNote remote access trojan. Check this article out: research.checkpoint.com/2019…

Operation Tripoli - Check Point Research

  Check Point Research recently came across a large-scale campaign that for years was using Facebook pages to spread malware across mobile and desktop environments, with one target country in mind:...

research.checkpoint.com
1
2
2,467
DomainTools@DomainTools
Feb 27
This Saturday, our Head of Investigations and CISO, @DanOnSecurity, will be presenting at #BSidesSeattle. Make sure you catch his talk to get a look at how threat groups are using newly registered domains to deliver SpyNote Malware. #Cybersecurity #InfoSec #ThreatIntel
2
3
352
IR3k@c0t0d0s2
Jan 24
SpyNote is one of the more interesting Android RATs in the wild today. Better a published analysis than a perfect one left unfinished - this ina I published. :-) medium.com/@ireneusz.tarnows… #AndroidMalware #SpyNote #MobileSecurity #MalwareAnalysis #CTI

SpyNote: Comprehensive Analysis of an Android Remote Access Trojan

Threat Context and Evolution of SpyNote

medium.com
1
2
210
CERT Orange Polska
@CERT_OPL
Jan 23
#SpyNote to kawał wyrafinowanego malware'u. Jak bardzo? Przyjrzał mu się - bardzo dokładnie - @c0t0d0s2. Lektura długa, ale warto! Tym bardziej, że napisane tak, że zrozumieją nie tylko techniczni. A po lekturze włos się trochę jeży, tym bardziej, że niektóre z próbek podszywały się pod @InPostPL czy @gmail. cert.orange.pl/aktualnosci/s…
1
5
20
1,784
Jane
@Jane_0sint
Jan 14
#Eaglespy #SpyNote Sandbox links: tria.ge/260111-wbk9tsbs9h/be… app.any.run/submissions#tag:… tria.ge/260111-pmwrdadx8e/be…
1
3
569
Secure Blink
@secure_blink
21 Nov 2025
This "WhatsApp Update" Will Empty Your Bank Account. Details: secureblink.com/cyber-securi… #Spynote #Phishing #CISO #hack #WhatsApp #Threatfeed #SecureBlink
2
4
78
Demon@volrant136
27 Oct 2025
#Spynote #opendir | AttackCapture An opendir is tracked by @Huntio having 5 different spynote samples. 65cd191f13353ec1cc061ccc751cbfaa d610ced310444cfbab7daa91e3f79439 68a98e82d2abdec08d7cad18a0c3eb8b 32acc69b4c703de71d7a97632c805ede 16fd63efc57a726706ba9eb5b996af21
1
1
4
416
Quark Engine@quarkengine
3 Oct 2025
🎉 Published #QuarkEngine v25.10.1! Here are 3 major updates: 💡Add 4 new rules for the SpyNote malware family. 💡Add Quark script showcase of detecting CWE 927. 💡Optimize the document of Quark Script CWE 925. 👉 reurl.cc/QaQxaq #AndroidSecurity
3
3
137
Quark Engine@quarkengine
26 Sep 2025
🎉 4 new rules added and 238 rules updated for the #SpyNote malware family. We're moving toward practical, powerful tools — thanks for your continued support! 🙏 Thanks to @zorro_wang ! 🔗 Report: reurl.cc/QaqnQZ
3
6
229
Tortugiga@tortugiga
20 Sep 2025
Replying to @FelrynX @Lumiphel
4/17 ragebait, consider downloading spynote
1
2
45
Threat Intelligence@threatintel
29 Aug 2025
#ThreatProtection #SpyNote #Android #RAT is resurging via fake Google Play pages, using dropper APKs with DEX injection and obfuscation. Read more: broadcom.com/support/securit… #Cybersecurity #Malware
1
1
1,287
yousukezan
@yousukezan
26 Aug 2025
サイバーセキュリティ研究者は、Android利用者を狙うSpyNoteマルウェアの再流行を確認した。 攻撃者は偽のGoogle Playストアサイトを作成し、正規アプリのインストール画面を完全に模倣して悪意あるAPKを配布している。 標的はiHappyやCamSodaといったSNS系、8 Ball Poolなどのゲーム、Chromeやファイルマネージャーなどのユーティリティ系アプリに及ぶ。 攻撃インフラは特定のIP(154.90.58.26、199.247.6.61)、ホスティング業者(Lightnode、Vultr)、ドメイン登録会社(NameSilo、XinNet)など共通の特徴を持つ。 最新のSpyNoteは、アプリのパッケージ名から生成されるAESキーを用いた暗号化資産の復号、DEX要素インジェクションによるClassLoader改変、難読化技術による解析妨害など高度な回避手法を実装している。 機能面ではリモート監視型トロイの木馬として、カメラ・マイク制御、通話操作、キーロギング、2要素認証コード窃取、画面オーバーレイによる認証情報詐取、端末ロックやデータ消去まで可能である。 gbhackers.com/beware-fake-go…

Beware! Fake Google Play Store Sites Used to Spread Android Malware

Cybersecurity researchers have identified a resurgence of SpyNote malware campaigns targeting Android users.

gbhackers.com
1
1
999
Virus Bulletin@virusbtn
26 Aug 2025
Domaintools researchers look into the resurfacing of SpyNote Android RAT activity and provide additional information around the recent activity and changes in tactics since April. dti.domaintools.com/spynote-…
19
65
4,264
DomainTools@DomainTools
25 Aug 2025
A new #SpyNote report is out! 🚨 Dive into the tactics of this Android RAT campaign, from dynamic payload decryption to new obfuscation methods. Learn how threat actors are using deceptive Google Play Store clones to target users dti.domaintools.com/spynote-…
Flowchart illustrating a cybersecurity threat involving an Android user. The user is lured to a fake Play Store App website, downloads and installs a 'Dropper APK', which then downloads and installs a secondary APK. This secondary APK connects to a 'C2 Server' via SSL. The process includes icons for Android, APK files, and internet connectivity.

ALT Flowchart illustrating a cybersecurity threat involving an Android user. The user is lured to a fake Play Store App website, downloads and installs a 'Dropper APK', which then downloads and installs a secondary APK. This secondary APK connects to a 'C2 Server' via SSL. The process includes icons for Android, APK files, and internet connectivity.

6
19
1,715
Cyber_OSINT@Cyber_O51NT
22 Aug 2025
A recent report reveals that deceptive websites are mimicking Google Play Store pages to distribute AndroidOS SpyNote malware, a potent RAT capable of extensive surveillance and data theft, highlighting the actor's evolving tactics since April. #CyberSecift.tt/uJxZcQs

DomainTools Investigations | SpyNote Malware Part 2

This report highlights the resurfacing of SpyNote activity by the same actor in a previous DTI report and provides additional information around the recent activity and changes in tactics since the...

dti.domaintools.com
1
5
740
DomainTools@DomainTools
22 Aug 2025
A new #SpyNote report is out! 🚨 Dive into the tactics of this Android RAT campaign, from dynamic payload decryption to new obfuscation methods. Learn how threat actors are using deceptive Google Play Store clones to target users dti.domaintools.com/spynote-…
Flowchart illustrating a cybersecurity threat involving an Android user. The user is lured to a fake Play Store App website, downloads and installs a 'Dropper APK', which then downloads and installs a secondary APK. This secondary APK connects to a 'C2 Server' via SSL. The process includes icons for Android, APK files, and internet connectivity.

ALT Flowchart illustrating a cybersecurity threat involving an Android user. The user is lured to a fake Play Store App website, downloads and installs a 'Dropper APK', which then downloads and installs a secondary APK. This secondary APK connects to a 'C2 Server' via SSL. The process includes icons for Android, APK files, and internet connectivity.

1
1
387
Threat Intelligence@threatintel
22 Aug 2025
#ThreatProtection #SpyNote campaign abuses IBM Trusteer branding with a fake “Mobile” app. broadcom.com/support/securit…
2
3
1,504
FalconFeeds.io
@FalconFeedsio
15 Aug 2025
🌏 Asia Threat Snapshot – Aug 15, 2025 We detected 295 IOCs across Asia: Mozi Botnet – 80 active download servers in 🇨🇳 CobaltStrike C2s linked to Chinese APTs SpyNote Android malware from India 🇮🇳 infra abuse Mirai RAT infra in Japan🇯🇵 & South Korea🇰🇷 🛑 IOC Samples: 110.41.11.176:5555 | 103.61.225.209 | 54.92.116.42:443
2
8
4,039
Load more