Your data might be safe today. But that doesn’t mean it’s safe forever.
A growing number of sophisticated actors are collecting encrypted data now, with the goal of decrypting it later, when more powerful technology becomes available.
This strategy is known as Harvest Now, Decrypt Later (HNDL). And it’s not a future problem. It’s already happening, according to research from our McAfee VPN team.
For everyday people, that means private messages, financial records, and sensitive documents could be exposed years from now if protections don’t evolve today.
That’s why security teams, including McAfee’s VPN engineers, are already working on ways to strengthen encryption for both today and what comes next.
What “Harvest Now, Decrypt Later” Means
At its core, HNDL is simple: Attackers collect encrypted data now, store it, and wait until they have the tools to unlock it later.
Even though today’s encryption is incredibly strong, the strategy doesn’t rely on breaking it today. It relies on patience.
A Simple Way to Think About It
You put valuable belongings and documents in a safe at home that’s locked and secured. This works at preventing crimes of opportunity. But let’s say there’s a thief who steals the entire safe, knowing they have tools they can use later to access what’s inside. They wait, and once the tools are available, they break into your safe and access everything inside.
That’s one way to think of HNDL. The safe is the encryption. The quantum computing is the tool they can use later.
But in real life, you’d probably notice if your safe is gone. In the case of HNDL, if you’re not monitoring your data, you may not even notice encrypted information has been stolen to be decrypted.
Key Terms Explained
Term
What it means
Encryption
Scrambling data so others can’t read it
Quantum computing
A new type of computing that can break some encryption
HNDL
A strategy to collect encrypted data now and decrypt it later
Why This Matters Right Now
This isn’t about whether your data is valuable today. It’s about whether it might be valuable later.
Data with a long shelf life is especially at risk, including:
Financial records
Medical information
Private messages
Legal or identity documents
Even something that feels low-stakes today could become sensitive in the future.
And because the collection phase is already happening, the risk isn’t hypothetical. It’s already in motion.
How This Affects VPNs (and what doesn’t change)
VPNs remain one of the most effective ways to protect your data today. That hasn’t changed.
But HNDL introduces a new layer of complexity.
What’s still strong: The encryption that protects your data in transit remains highly resilient.
Where the risk is: The “handshake” process (how a secure connection is established) is more vulnerable to future quantum attacks.
In simple terms: Your data is well protected today, but parts of how that protection is set up may need to evolve for the future.
What Quantum Computing Changes
Traditional computers process information in a linear way.
Quantum computers work differently. They can solve certain types of problems much faster, including the kinds of mathematical challenges that protect today’s encryption.
That’s why attackers are willing to wait.
Once quantum computing reaches a certain level, it could unlock data that was previously considered secure.
What McAfee’s VPN Team is Working On
McAfee’s VPN team is already preparing for this shift.
Evaluating quantum-safe encryption approaches
Exploring hybrid models that protect both now and long-term
Building toward a more resilient VPN experience
This work builds on a broader privacy-by-design approach, where systems are designed to minimize risk from the start, not react after the fact.
Because with HNDL, waiting isn’t an option.
What You Can Do Now
You don’t need to wait for quantum computing to take steps today.
Use a trusted VPN to encrypt your connection
Be mindful of long-term sensitive data you share online
Avoid unsecured public Wi-Fi when possible
Keep your apps and devices updated
These steps help protect your data now while the industry builds toward future-ready security.
How McAfee Helps Protect You
McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
Secure VPN keeps your data private, especially on public Wi-Fi
Frequently Asked Questions (FAQs)
FAQ
Q: Is my data safe right now?
A: In most cases, yes—today’s encryption is extremely strong and is designed to protect your data from current threats. If you’re using trusted security tools like a VPN, safe browsing protections, and device security, your data is actively protected while it’s in transit and in use. However, no system is risk-free. Data exposed through phishing, weak passwords, breaches, or unsecured networks may still be vulnerable. And with “Harvest Now, Decrypt Later,” even properly encrypted data could be collected today and targeted for decryption in the future.
Q: What is quantum-safe encryption?
A: Quantum-safe (or post-quantum) encryption refers to new types of cryptography designed to remain secure even against future quantum computers. Today’s encryption relies on math problems that are extremely difficult for classical computers to solve, but quantum computers could eventually solve some of them much faster. Quantum-safe approaches use different mathematical foundations that are believed to resist those capabilities. In practice, many companies are moving toward hybrid encryption, combining today’s proven methods with newer quantum-resistant techniques to protect data both now and long-term.
Q: Should I still use a VPN?
A: Yes. A VPN remains one of the most effective ways to protect your data today, especially on public or unsecured networks. It encrypts your internet traffic and helps prevent interception by hackers, internet providers, or other third parties. While VPN protocols are evolving to address future quantum risks, they still provide strong, essential protection against today’s threats.
Q: When will this become a real threat?
A: The risk unfolds in two phases. The collection phase is already happening today, where sophisticated actors gather encrypted data and store it. The decryption phase depends on when quantum computing advances far enough to break certain types of encryption, which could take years but is actively progressing. This means data with a long lifespan, such as financial records, personal communications, and sensitive documents, is most at risk because it only needs to remain valuable until those capabilities exist.
McAfee’s mobile research team identified and investigated an Android rootkit campaign tracked as Operation Novoice. The malware described in this blog relies on vulnerabilities Android made patches available for in 2016 – 2021. All Android devices with a security patch level of 2021-05-01 or higher are not susceptible to the exploits that we were able to obtain from the command-and-control server. However patched devices that downloaded these apps could have been exposed to unknown potential payloads outside of what we discovered. The attack begins with apps that were previously available on Google Play that appear to be simple tools such as cleaners, games, or gallery utilities. When a user downloaded and opened one of these apps, it appeared to behave as advertised, giving no obvious signs of malicious activity.
In the background, however, the app contacts a remote server, profiles the device, and downloads root exploits tailored to that device’s specific hardware and software. If the exploits succeed, the malware gains full control of the device. From that moment onward, every app that the user opens are injected with attacker‑controlled code.
This allows the operators to access any app data and exfiltrate it to their servers. One of the targeted apps is WhatsApp. We recovered a payload designed to execute when WhatsApp launches, gather all necessary data to clone the session, and send it to the attacker’s infrastructure.
On older, unsupported devices (Android 7 and lower) that no longer receive Android security updates as of September 2021, this rootkit is highly persistent; a standard factory reset will not remove it, and only reflashing the device with a clean firmware will fully restore the device.
In total, we identified more than 50 of these malicious apps on Google Play, with at least 2.3 million downloads.
McAfee identified the malicious apps, conducted the technical analysis, and reported its findings to Google through responsible disclosure channels. Following McAfee’s report, Google removed the identified apps from Google Play and banned the associated developer accounts. McAfee is a member of the App Defense Alliance, which supports collaboration across the mobile ecosystem to improve user protection. McAfee Mobile Security detects this malware as a High-Risk Threat. For more information, and to get fully protected, visit McAfee Mobile Security.
Background And Key Findings
Android malware has been moving toward modular frameworks that update themselves remotely and adapt to each device. Campaigns like Triada and Keenadu have shown that replacing system libraries gives attackers persistence to survive factory resets. BADBOX has shown that backdoors pre-installed through the supply chain can reach millions of devices. Recent research has confirmed links between several of these families, suggesting shared tooling rather than isolated efforts.
NoVoice fits both trends but does not rely on supply chain access. It reaches devices through Google Play and achieves the same level of persistence through exploitation. McAfee’s investigation revealed the following key findings:
All carrier apps were distributed through Google Play. No sideloading required, no user interaction beyond opening the app.
C2 infrastructure remains active at the time of publication.
The C2 server profiles each device and delivers root exploits matched to its hardware and software version.
The rootkit overwrites a core system library, causing every app on the device to run attacker code at launch.
The infection survives factory reset and can only be removed by reflashing the firmware.
The chain is fully plugin-based. Operators can push any payload to any app on the device at runtime.
The only task we recovered clones WhatsApp sessions, but the framework is designed to accept any objective.
Naming
The name comes from R.raw.novioce, a silent audio resource embedded in one of the later-stage payloads. It plays at zero volume to keep a foreground service alive, abusing Android’s media playback exemption. We believe it is a deliberate misspelling of “no voice.”
Distribution Method
All carrier apps were distributed through Google Play and request no unusual permissions. Their manifests include the same SDKs any legitimate app would (Firebase, Google Analytics, Facebook SDK, AndroidX). The malicious components are registered under tampered com.facebook.utils, blending in with the real Facebook SDK classes the apps already include.
Figure 1: One of the carrier apps on Google Play
The initial payload is embedded in the app’s asset directory as a polyglot image. This means the file displays and renders a normal image, but a deeper inspection reveals that the encrypted malicious payload is appended after the PNG IEND marker. Since that marker signals to image viewers that the image data ends there, the appended payload remains hidden during normal viewing.
Geographical Prevalence
The geographical prevalence map shows the highest infection rates in Nigeria, Ethiopia, Algeria, India, and Kenya, regions where budget devices and older Android versions that no longer receive security updates are common.
Figure 2: Affected users around the world
Malware Analysis
The following breakdown walks through each stage of the chain in order, from the moment a user opens the app to the moment stolen data leaves the device. No single file contains the full chain. Each stage decrypts and loads the next, most are delivered from the server at runtime.
Figure 3. The NoVoice rootkit payloads
Stage 1: The Delivery
The moment the app opens, code injected into the legitimate Facebook SDK initialization path runs automatically. No user interaction is needed. It first checks whether the device has already been processed and, in most samples, whether it is running Android 12L or below. A subset of the carrier apps skips the version check entirely. If either check fails, it stops and logs a message disguised as a Facebook SDK error: “FacebookSdk: Failed in initStore.”
If the device was already processed, the code cleans up files assumed to be left behind by previous runs, including paths that do not belong to any standard Android component. None of these are visible to the user.
If the checks pass, the app reads a polyglot image from its own assets’ directory, extracts the encrypted payload (enc.apk) hidden after the image data, decrypts it to produce h.apk, and loads it into memory. It then deletes all intermediate files, temporary directories.
Figure 4: Normal looking image with malicious payloadFigure 5: The malicious payload begins after the IEND marker, starting with the magic value CAFEBABE
Stage 2: The Gatekeeper
The decrypted payload (h.apk) loads a native library (libkwc.so) that controls the rest of this stage. It first verifies it is running inside the intended carrier app by checking the package name and signing certificate against hardcoded values. It also checks whether the app is running in a debug environment.
libkwc.so contains two encrypted embedded payloads. The first (sec.jar) is a gate designed to detect analysis environments. It runs 15 checks, including emulator detection, root indicators, debuggers, VPN and proxy connections, Xposed hooks, and GPS geofencing. If any check fails, the chain stops silently. The geofence compares the device’s location against bounding boxes for Beijing and Shenzhen hardcoded in the native library and excludes devices confirmed to be inside them. If the app does not have location permission, it cannot determine the device’s position and defaults to letting the chain continue. Two brands get special treatment: on Gionee devices, all checks except the geofence are skipped; on Meizu devices, the chain follows a separate code path entirely. Gionee devices have a documented history of shipping with pre-installed malware through supply chain compromise.
Only if all checks in sec.jar pass does libkwc.so decrypt and load the second payload (hex.jar), which begins contacting the C2 server. If the gate fails, it deletes the working directory and stops.
Figure 6: 15 validation checks before proceeding to the next stage
Stage 3: The Plugin
Once the gate passes, hex.jar sets up a plugin framework built on an internal codebase the authors refer to as “kuwo” in their package names. It checks in with a C2 server every 60 seconds. Updates are delivered the same way as the initial payload: as image files with encrypted data hidden after the image content. The server returns download URLs in a response field named warningIcon, disguising plugin downloads as icon fetches. A log-deletion routine runs alongside the framework to remove forensic traces from the device.
The first plugin delivered (rt) acts as an orchestrator. It manages sub-plugins and handles C2 communication. It checks in with the server, sending over 30 device identifiers including hardware model, kernel version, installed packages, and whether the device has already been rooted. The campaign’s name comes from this plugin: it embeds a silent audio resource named R.raw. novioce.
The checkin tells the server two things: who this device is and whether it has already been rooted. If it has not, rt_plugin downloads security.jar, moving the chain into root exploitation.
Figure 7: MediaPlayer initialized to load the embedded NoVoice audio
Stage 4: The Exploit
security.jar first checks whether the device is already rooted. If it has been, it stops. For unrooted devices, it sends the device’s chipset, kernel version, security patch date, and other identifiers to the C2. The server responds with a list of exploit binaries matched to that specific device.
Before running any exploit, the rootkit installer (CsKaitno.d) is decrypted from an embedded resource and written to disk. The rootkit is already in place before any exploit runs.
The exploits are downloaded one at a time from the C2’s CDN, each encrypted and verified before execution. We recovered 22 exploits in total. Our deep analysis of one revealed a three-stage kernel attack: an IPv6 use-after-free for kernel read, a Mali GPU driver vulnerability for kernel read/write, and finally credential patching and SELinux disablement.
The expected end result is the same across all exploits: a root shell with SELinux disabled. From that shell, the exploit loads CsKaitno.d. This is where exploitation ends and persistence begins.
Figure 8: SELinux enforcement disabled as part of the exploit chain
Stage 5: The Rootkit
CsKaitno.d carries four encrypted payloads: library hooks for ARM32 and ARM64 (asbymol and bdlomsd), a bytecode patcher (jkpatch), and a persistence daemon (watch_dog). It first removes files associated with possible competing rootkits, then decrypts and writes its own payloads to disk.
The installer backs up the original libandroid_runtime.so and replaces it with a hook binary matched to the device’s architecture. It also replaces libmedia_jni.so. The replacements are not copies of the original libraries. They are wrappers that intercept the system’s own functions. When any hooked function runs, it redirects to attacker code.
Figure 9: Rootkit copying and preparing modified system libraries before remounting the filesystem as writable
After replacing the libraries, jkpatch modifies pre-compiled framework bytecode on disk. This is a second layer of persistence: even if someone restores the original library, the framework’s own compiled code still contains the injected redirections
Stage 6: The Watchdog
To survive reboots, the installer replaces the system crash handler with a rootkit launcher, installs recovery scripts, and stores a fallback copy of the exploitation stage on the system partition. If any component is removed, the rootkit can reinstall itself.
It then deploys a watchdog daemon (watch_dog) that checks the installation every 60 seconds. If anything is missing, it reinstalls it. If that fails repeatedly, it forces a reboot, bringing the device back up with the rootkit intact.
After cleaning up all staging files, the installer marks the device as compromised. On the next boot, the system’s process launcher (zygote) loads the replaced library, and every app it starts inherits the attacker’s code.
Figure 10: Watchdog payload decrypted, written to disk, permissioned, and launched with a 60‑second restart interval
Stage 7: The Injection
On the next boot, every app on the device loads the replaced system library. The injected code decides what to do based on which app it is running inside. Two payloads activate depending on the app. The malware authors named them BufferA and BufferB in their own code. Both are embedded as fragments inside the replaced libandroid_runtime.so from Stage 5, assembled in memory at runtime, and deleted from disk immediately after loading, leaving no files behind. BufferA runs inside the system’s package installer and can silently install or uninstall apps. BufferB runs inside any app with internet access.
BufferB is the campaign’s primary post-exploitation tool. It operates two independent C2 channels with separate encryption keys and beacon intervals. Both channels send device fingerprints to the C2 and receive task instructions in return.
If all primary domains fail and three or more days pass without contact, a fallback routine activates between 1 and 4 AM, reaching out to api[.]googlserves[.]com for a fresh domain list. Because BufferB runs inside any app with internet access, it can be active in dozens of apps simultaneously on a single device.
Figure 11: Injection logic selecting BufferA for the package installer and BufferB for all other apps
Stage 8: The Theft
The only task payload we recovered is PtfLibc, delivered to BufferB from Alibaba Cloud OSS. Its target is WhatsApp.
PtfLibc copies WhatsApp’s encryption database, extracts the device’s Signal protocol identity keys and registration ID, and pulls the most recent signed prekey. It also reads 12 keys from WhatsApp’s local storage, including the phone number, push name, country code, and Google Drive backup account. For the client keypair, it tries multiple decryption methods depending on how the device stores the key.
It sends the stolen data to api[.]googlserves[.]com through multiple layers of encryption and deletes the temporary database copy when done.
With these keys and session data, an attacker can clone the victim’s WhatsApp session onto another device.
Figure 12: Code accessing and copying WhatsApp’s encrypted Signal protocol databases for exfiltration
Infrastructure
The campaign spreads its C2 communication across multiple domains, each serving a different function.
fcm[.]androidlogs[.]com handles initial device enrollment. Once the plugin framework activates, stat[.]upload-logs[.]com takes over as the primary C2 for plugin delivery, device checkin, exploit distribution, and result reporting. config[.]updatesdk[.]com serves as its fallback. Exploit binaries are hosted separately on download[.]androidlogs[.]com, with an S3-accelerated endpoint (logserves[.]s3-accelerate[.]amazonaws[.]com) as the primary CDN. This endpoint returned 403 errors during our analysis.
Task payloads for BufferB are hosted on Alibaba Cloud OSS (prod-log-oss-01[.]oss-ap-southeast-1[.]aliyuncs[.]com). PtfLibc beacons to api[.]googlserves[.]com, a domain designed to look like Google service traffic at a glance.
The domain separation is deliberate. Taking down one domain does not affect the others. The C2 can update BufferB’s domain lists at runtime, and a fallback routine fetches fresh domains from hardcoded backup endpoints if all configured domains go silent for three or more days.
Recommendations
Because the rootkit writes to the system partition, a factory reset does not remove it. A reset wipes user data but leaves system files intact. Compromised devices require a full firmware reflash to return to a clean state. Blocking the C2 domains and beacon patterns listed in this report at the network level can disrupt the chain at multiple stages.
Attribution
Several indicators link NoVoice to the Android.Triada family. The property (os.config.ppgl.status)NoVoice sets to mark a device as compromised is a known indicator of compromise for Android.Triada.231, a variant that uses the same property to track installation state. Both NoVoice and Triada.231 persist by replacing libandroid_runtime.so and hooking system functions so that every app runs attacker code at launch. Whether NoVoice is a direct evolution of Triada.231, a fork of its codebase, or a separate group reusing proven techniques, the shared approach suggests access to a common toolchain.
Conclusion
What makes NoVoice dangerous is not any single technique. It is the engineering effort behind the full chain: a self-healing pipeline that goes from a Play Store install to code execution inside every app on the device, survives factory reset, and monitors its own installation. The operators built a delivery system, an infrastructure.
We recovered one task. The framework is designed to accept any number of them, for any app, at any time. The C2 infrastructure remains active. We do not know what other objectives have been deployed before, during, or after our analysis. The WhatsApp session theft we observed may be the least of it.
The rootkit’s persistence model, overwriting a system library inherited by every process, patching pre-compiled framework bytecode, and monitoring its own installation with a watchdog, makes remediation difficult.
This research underscores McAfee’s ongoing role in identifying advanced mobile threats and working with platform partners to protect users before large‑scale harm occurs.
The term ‘Vibe coding,’ first coined back in February of 2025 by OpenAI researchers, has exploded across digital platforms. With hundreds of articles and YouTube Videos discussing the dangers of Vibe coding and warning the internet about the rise of “Vibe Coders”, while others labelled it as the fundamental shift in software development and the future of coding.
Vibe Coding is an approach where the AI does heavy lifting, rather than the user. Instead of manually writing code or implementing algorithms, users describe their intent through text-based prompt, and the LLMs respond with fully functional code and explanation. Unsurprisingly, the internet is now flooded with guides on the best LLMs and prompts to generate “perfect” code.
Given the ease of generating fully functional code, McAfee Labs has also seen a rise in vibe-coded malware. In these campaigns, certain components of the kill chain contain AI-generated code, significantly reducing the effort and knowledge required to execute new malware campaigns. This shift not only makes malware campaigns more scalable but also lowers the barrier to entry for new malware authors.
Executive summary
In January 2026, McAfee Labs observed 443 malicious zip files impersonating a wide range of software, including AI image generators and voice-changing tools, stock-market trading utilities, game mods and modding tools, game hacks, graphics card and USB drivers, ransomware decryptors, VPNs, emulators, and even infostealer, cookie-stealer, and backdoor malware, to infect users.
Across the 440+ zip files, we observed 48 unique malicious WinUpdateHelper.dll variants, responsible for the infections. McAfee has been detecting variants of this threat since December 2024, although the vibe coding observed in certain components appears to be a recent addition. These files are distributed through various legitimate content delivery network (CDN) services and file-hosting websites, such as Discord, SourceForge, FOSSHub, and MediaFire, to name a few. Another website that was actively delivering this malware was mydofiles[.]com.
Here, the attackers implement volume-driven malware distribution techniques to infect as many users as possible.
Figure 1: Attack Vector
This attack begins when users surf the internet looking for tools and software that promise to simplify their tasks. Instead, they encounter trojanized zip files.
We discovered over 100 URLs actively spreading this malware, of which approximately 61 were hosted on Discord, 17 on SourceForge, and 15 on mydofiles[.]com.
On running the executable, it loads a malicious WinUpdateHelper.dll file, which redirects the user to file-hosting websites, under the disguise that they are missing crucial dependencies and tricks them into installing unrelated software, which is a distraction. Meanwhile, the DLL has already requested and executed a malicious PowerShell script from a command-and-control (C2) server.
This script infects the user’s system and downloads additional mining software, and abuses the system’s resources, or it downloads additional payloads such as SalatStealer or Mesh Agent, depending on the WinUpdateHelper.dll sample which infected the user.
In this PowerShell script, the presence of explanatory comments and structured sections strongly indicates the use of LLM models to generate this code.
Read more about this in the Using AI to generate malware? section below.
So far, we’ve observed the mining of Ravencoin, Zephyr, Monero, Bitcoin Gold, Ergo, andClorecryptocurrencies.
Due to the presence of hardcoded Bitcoin wallet credentials within these malware samples, we were able to trace on-chain transactions and identify wallets containing over $4,500 USD that are part of this campaign.
Since most of the mining activity targets privacy-focused cryptocurrencies such as Zephyr, Ravencoin and Monero, the real financial impact is likely to be nearly double the amount identified through Bitcoin tracing alone.
Geographical Prevalence
Figure 2: Geographical Prevalence
This malware campaign has specifically targeted users in the following counties, ranked by prevalence: The United States of America, followed by United Kingdom, India, Brazil, France, Canada, Australia.
Bottom Line
The availability of LLMs capable of generating code instantly, combined with the widespread accessibility of technical knowledge, has created a low-effort, high-reward environment, making malware deployment increasingly accessible.
At McAfee Labs, we have been doing hard work so that you don’t need to worry. But it always helps to be informed and educated on the latest threat that steps into the threat landscape. We will continue monitoring these campaigns to ensure our customers remain informed and protected across platforms.
Technical Analysis
Impersonated Applications
Here we see malware distribution at a large scale and by analyzing the filenames of these ZIP archives, we can infer to the users that are being targeted. These are some of the names we’ve witnessed in the wild.
Figure 3: Malware Impersonating gaming software
The attackers are actively impersonating video game cheats and game mods for popular titles, and well-known script executors for Roblox, such as Delta Executor and Solara as seen above.
Figure 4: Malware Impersonating tools, malware and drivers
Names such as Panther-Stealer and Zerotrace-Stealer indicate that even users looking for malware on the internet are not safe either, reinforcing the notion that there is truly no honor among thieves.
The campaign also leverages drivers and AI-themed tools as part of its lure portfolio among other tools. Interestingly, we see the name ‘DeepSeek.zip’, where attackers are exploiting a prominent LLM model, DeepSeek. McAfee had encountered these types of attacks in early 2025 and covered them extensively.
Once the user downloads the ZIP archive from Discord or any other website. They get the following set of files.
Figure 5: Files within the zip archive.
Here, the executable named ‘gta-5-online-mod-menu.exe’ (Highlighted in Blue) is a legitimate and clean file. Whereas the file named ‘WinUpdateHelper.dll’ (Highlighted in Red) is malicious.
Figure 6: Command Prompt misinforming the user
On executing ‘gta-5-online-mod-menu.exe’, the malicious DLL is loaded. The user is informed that they are missing dependencies, and they’re redirected to the following URL via default browser.
Here, within the URL, a tracker variable is used to identify which malware has infected the user. In this instance, it was ‘gta-5-online-mod-menu’.
Figure 7: Website prompting users to download dependencycore.zip
Dependecycore.zip is a setup file. On execution, it installs unrelated 3rd party software on the victim’s system.
Figure 8: Files dropped by Dependecycore.zip in temp folder
In this instance, iTop Easy Desktop was installed.
This unwanted installation is meant to subvert users’ attention. As, the WinUpdateHelper.dll has already connected to the C2 server and infected the system.
Stage 1 Payload – Malicious Functionality
Once the redirection code is executed, the malware executes the malicious code.
Figure 9: Malicious code within WinUpdateHelper.dll
In the above code snippet, which is present in the WinUpdateHelper.dll, we can see that a new service has been created under the name “Microsoft Console Host” to make it appear to be benign (Highlighted in Red). The parameters passed to this service ensure that it executes at system boot. This is done to maintain persistence in the system.
The service executes a PowerShell command that dynamically generates the C2 domain using the UNIX time stamp.
Using the following code, $([Math]::Floor([DateTimeOffset]::UtcNow.ToUnixTimeSeconds() / 5000000) * 5000000).xyz
It generates a domain name that changes once every 5,000,000 seconds or 58 days.
The latest C2 domain we’ve discovered that is up and running is 1770000000[.]xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper
During our analysis we observed the following domain 1765000000[.]xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper, which is present in the following images.
Here the id=fA9zQk2L0M is randomly generated, to uniquely identify the user and tag=WinUpdateHelper is used to identify the malware campaign.
The malware connects to the above-mentioned C2 server to download a PowerShell script and execute it in memory. This fileless execution ensures improved evasion against signature-based detections.
Stage 2 Payload – PowerShell Script
Figure 10: PowerShell downloaded from the C2 server
It is funny to note here, that the first comment of this script says “# I am forever sorry” which indicates that the attacks do carry some guilt regarding their actions, but not enough to stop the campaign. We found similar comments, such as “# sorry lol”, across multiple PowerShell scripts we discovered.
The first set of commands (Highlighted in Green) are used to delete windows services and scheduled tasks. This is done to remove older or conflicting persistence mechanisms and to avoid duplicate miners from running on the same system.
The second set of commands (Highlighted in Red) are registry modifications, that adds “C:\ProgramData” to Windows Defender exclusion paths. That is, ProgramData Folder won’t be scanned by Windows Defender anymore. This exclusion allows malware to drop additional payloads to disk, without the risk of them being detected and removed.
The third set of commands (Highlighted in Blue) does exactly that. It downloads the next level payload from the URL “hxxps://1765000000[.]xyz/download/xbhgjahddaa” and stored it at this path “C:\ProgramData\fontdrvhost.exe”.
Again the name ‘fontdrvhost.exe’ imitates a legitimate Windows binary, to masquerade its true intent. After the download, the file is decoded using a simple arithmetic decryption routine. This provides protection against static signature detection and network detection.
The payload is an XMRIG miner sample. In the next command, the miner is initialized and executed. Here, we see the miner connecting to “solo-zeph.2miners.com:4444” and start CPU based Zephyr coin mining using the following wallet address: ‘ZEPHsCY4zbcHGgz2U8PvkEjkWjopuPurPNv8nnSFnM5MN8hBas8kBN4hoNKmc7uMRfUQh4Fc9AHyGxL6NFARnc217m2vYgbKxf’.
Figure 11: PowerShell downloaded from the C2 server continued
In the second half of the script, we see another miner being set up and executed using the same technique (Highlighted in Red). This time the file is stored as “RuntimeBroker.exe” in the ProgramData folder. The miner is connecting to “solo-rvn.2miners.com:7070” to mine Ravencoin and it is using the system’s GPU instead of the CPU for mining (Highlighted in Blue).
This is the wallet address used for mining in this instance ‘bc1q9a59scnfwkdlm6wlcu5w76zm2uesjrqdy4fr8r’.
Hence, we see a dual coin-mining deployment infrastructure utilizing both CPU and GPU resources to optimize mining efficiency.
Bitcoin? Interesting…
What is interesting here is that attackers have used a bitcoin wallet address for mining Ravencoin, which indicates they are using multi-coin pools for mining. The attackers are using the victims’ machine to mine Ravencoin and automatically convert the mining rewards to Bitcoin before the payout.
This is done for a variety of reasons, such as, bitcoin offers higher liquidity and has broader acceptance, but most importantly, Ravencoin is computationally easier and economically viable to mine on victim’s system. Bitcoin requires specialized ASIC hardware for profitable mining and attempting to mine Bitcoin directly on infected systems would generate negligible returns. We’ve seen the same behaviour in multiple samples.
This is a smoking gun. Unlike Zephyr coin or Monero, Bitcoin’s blockchain is fully traceable. Every Satoshi, the smallest unit of Bitcoin, can be traced across the blockchain from the moment it was mined to its current holder. From there, it becomes easy to determine how much cryptocurrency the threat actor is receiving. More on this later.
Anti-Analysis Techniques
The attackers have meticulously designed the campaign and have implemented various anti-analysis techniques to thwart researchers.
The PowerShell script we’ve seen above is responsible for downloading and initializing the coin miner samples. It is only accessible via PowerShell. If we try to access the server via Curl, we get the following response.
Figure 12: 301 Response from the server
This indicates that the server is actively monitoring the User-Agent of incoming requests and deploys the payload only when the request originates from PowerShell.
Similarly, the URLs embedded within the PowerShell script that download the next payload are unique to each victim and remain active for 60 seconds. After that, they return a 404 Not Found error.
Figure 13: URLs within the PowerShell
These techniques are meant to confuse and disorient researchers, making the analysis difficult.
Using AI to generate malware?
While working on this malware campaign, we came across over 440 unique zip files. These same zip files were distributed with over 1700 different names, targeting various software.
Across these 440 zip files, we noticed 48 unique variants of WinUpdateHelper.dll. These 48 files can be clustered together into 17 distinct kill chains, each featuring their own C2 infrastructure, misleading installation setups, second-stage PowerShell scripts and final payloads, yet the cryptocurrency wallet credentials remain similar.
In the above technical analysis, we’ve only covered 1 kill chain. Yet, across these 17 kill chains, we’ve noticed the flow remain the same.
Figure 14: PowerShell Script with LLM-Generated Comments
Across multiple second stage payloads, we encounter multiple comments such as the following, embedded within the code:
# === Create and execute run.bat in C:\ProgramData ===
:: This batch file:
:: – Creates the hidden folder C:\ProgramData\cvtres if it doesn”t exist (using CMD attrib for hidden + system)
:: – Downloads cvtres.exe from your GitHub URL
:: – Saves it to C:\ProgramData\cvtres\cvtres.exe
:: – Executes it immediately
:: – Runs completely hidden/minimized (no window visible)
The presence of such explanatory-style comments indicates that large language models were likely used during the development of these scripts. Especially, the comment “Downloads cvtres.exe from your GitHub URL”, where ‘Your GitHub URL’ refers to the threat actor’s GitHub repository that is hosting the malware, which indicates potential vibe coding.
Tracking Bitcoin Across the Blockchain
During analysis of this malware campaign, we came across few instances where the final payload was Infostealer malware. In most cases it was coin miner samples. In these cases, we encountered wallet credentials and mining pool URLs for several alternative cryptocurrencies such as Ravencoin, Zephyr, Monero, which aren’t traceable.
Fortunately, we came across 7 bitcoin wallets that are part of this malware campaign and are actively receiving mined cryptocurrency.
Browser extensions have become essential parts of how we browse, bank, work, and shop online. From password managers to ad blockers, these tools can significantly improve your digital life when chosen wisely. Chief among these are browser plug-ins, which extend its functionality. Almost all popular browsers support these extensions, unfortunately, making them one of the most commonly used malware attack vectors.
In this guide, you will learn about the advantages and security risks of browser extensions, the role that permissions play in ensuring your privacy when using these extensions, and some best practices when using them.
Browser extensions and their malicious counterparts
Browser extensions are small software programs that enhance your web browser by adding new functionality or modifying existing ones. Think of them as helpful extra tools that can block ads, manage passwords, check prices while shopping, or customize how websites look and behave. Legitimate extensions make your browsing experience more efficient and enjoyable.
Cybercriminals, however, have taken advantage of their popularity by creating malicious versions disguised as useful tools that secretly operate with harmful intentions. Some of these malicious browser extensions access and modify web pages, monitor your browsing activity, and interact with websites on your behalf.
While legitimate extensions request only the minimum permissions necessary for their stated purpose, malicious extensions often request more permissions than they need to access your browsing data and history.
Core tactics of malicious browser extensions
Malicious browser extensions typically operate through specific methods that can significantly impact your daily online activities, from casual browsing to important financial transactions, including:
Permission abuse occurs when an extension requests far more access than it needs to operate. For example, a weather extension that claims to show local forecasts might request permission to track the websites you visit, allowing it to monitor everything you do online and capture sensitive information such as passwords and credit card numbers without your knowledge.
Ad injection is where malicious extensions insert unwanted advertisements into web pages you’re viewing, appearing as pop-ups, banner ads, or even replacing legitimate advertisements with malicious ones. These injected ads disrupt your browsing experience, can lead to scam websites, or attempt to trick you into downloading additional malware.
Data theft is one of the most serious threats posed by malicious extensions. These programs can silently capture everything you type, including usernames, passwords, credit card information, and personal details, exposing your personal information to cybercriminals. When you log into your online banking or online shopping account, the malicious extension might record your login credentials and account information.
Traffic redirection involves redirecting your legitimate web traffic to scam websites designed to steal your information or trick you into making fraudulent purchases. This is particularly dangerous when you’re trying to access your bank’s website or other financial services, but are redirected to a convincing fake site that could capture your login credentials.
Drive-by downloads can be triggered by these ill-intentioned browser extensions when you visit specific websites, click on seemingly innocent links or files, or even during routine browsing activities. The links and files are disguised as legitimate software updates, media files, or useful applications that, in fact, could infect your device with ransomware, keyloggers, or other types of malware.
Cryptocurrency mining extensions secretly use your computer’s processing power to mine cryptocurrency for the extension creator, running resource-intensive calculations in the background without your knowledge or consent. This unauthorized mining activity causes your device to run more slowly, drain your laptop battery faster, consume more electricity, generate excess heat, and potentially shorten your hardware’s lifespan.
The impact of malicious browser extensions
If not caught, malicious extensions can disrupt your daily life and compromise your personal security.
Malicious extensions violate your privacy when they monitor your online behavior and track the websites you view, build a profile of your habits and preferences, and even obtain your home address and other personal details. These details can be used for identity theft, social engineering attacks, or sold to data brokers, ultimately compromising your privacy and potentially affecting your real-world safety and financial security.
When it comes to online shopping, some malicious extensions could pressure you into hasty purchase decisions, intercept your checkout process, and capture your payment information. Once cybercriminals have your shopping account credentials, they can impersonate you to make unauthorized purchases.
Similar incidents could happen with your banking and financial accounts. Malicious browser extensions can steal your login credentials, account numbers, transaction details, and eventually your money. Some cybercriminals have gone as far as opening new accounts and applying for loans using your stolen information.
The most insidious aspect of malicious browser extensions is their ability to operate silently in the background while maintaining the appearance of legitimate functionality. A malicious extension might continue providing its advertised service—such as weather updates or price comparisons—while simultaneously conducting harmful activities, making them effective at avoiding detection.
On top of the higher electricity bills, degraded device performance and browsing experience, and wasted network bandwidth, malicious extensions violate your values by turning your device into an unwitting money-making tool for cybercriminals while you bear the operational costs. Furthermore, malicious extensions could potentially expose you to additional malware or scams, and involve you in fraudulent advertising schemes.
Their impact extends beyond your own device and could affect your entire household. On the shared networks and devices, malicious extensions can spread and compromise other users.
Guidelines to stay safe with browser extensions
Chrome extensions can absolutely be safe to use when you approach them with the right knowledge and precautions. The vast majority of extensions on the official Chrome Web Store undergo Google’s review process and are built by legitimate, reputable developers who aim to enhance your browsing experience and follow security best practices.
Additionally, the Chrome Web Store’s rating system and user reviews provide valuable insights into an extension’s reliability and performance. When you stick to well-established extensions with thousands of positive reviews and regular updates, you’re generally in safe territory.
However, the extension ecosystem does present a few security challenges. The primary risks come from two main areas: permission abuse and post-installation behavior changes. When you install an extension, you give it permission to access various aspects of your browsing data and your device. Some extensions may request more permissions than they actually need, creating potential privacy and security vulnerabilities. Even more concerning, some extensions start with benign functionality but later receive updates that introduce malicious features or get sold to malicious actors who update them with data-harvesting capabilities, turning a once-safe extension into a potential threat.
To help you navigate these challenges safely, here’s a practical risk assessment framework you can use before installing any Chrome extension. This systematic approach takes just a few minutes but can save you from potential headaches down the road.
Step 1: Evaluate the source’s reputation
Start by examining who created the extension. Look for extensions developed by well-known companies or developers with established track records. Check the developer’s website and other extensions they’ve created. Extensions from companies like Google, Microsoft, or other recognized tech firms generally carry lower risk profiles. For individual developers, look for those who maintain a professional online presence and have created multiple successful extensions.
Step 2: Analyze user reviews and ratings
Don’t just glance at the overall star rating. Read the actual reviews, look for patterns in user feedback, and pay special attention to recent comments that might indicate changes in the extension’s behavior. Be wary of extensions with suspiciously perfect ratings or reviews that seem artificially generated. Legitimate extensions typically have a mix of ratings with detailed, specific feedback from real users.
Step 3: Examine permission requests carefully
This is perhaps the most critical step in your assessment. When you click “Add to Chrome,” pay close attention to the permission dialog that appears. Question if the requested permissions make sense for the tool’s functionality and be particularly cautious of extensions requesting broad permissions such as “Read and change all your data on the websites you visit.”
Step 4: Check installation numbers and update history
Extensions with millions of users and regular updates are generally safer bets than those with just a few hundred installations. However, don’t let high installation numbers alone convince you. Look for extensions that receive regular updates, which indicates active maintenance and ongoing security attention from developers.
Step 5: Research recent security issues
Before installing, do a quick web search for the extension name with terms like “security,” “malware,” or “removed.” This will reveal any recent security incidents or concerns that other users have reported. Security researchers and tech blogs often publish warnings about problematic extensions, information that can be invaluable in your decision-making process.
Ongoing browser security
The security landscape changes constantly, and extensions that are safe today might develop problems in the future. This is why ongoing vigilance is just as important as your initial assessment.
Install only as needed: Adopt a minimalist approach to installing extensions, as every browser extension you add increases your attack surface. Only install those you absolutely need.
Regularly audit your installed extensions: Set a reminder to review your extensions every few months, removing any that you no longer use or that haven’t been updated recently. This reduces your attack surface and helps keep your browser running efficiently.
Be wary of unrealistic benefits: When adding new browser extensions, be cautious of those that promise fantastic functions such as dramatically increasing internet speed or providing access to premium content for free. Extensions that require you to create accounts with suspicious email verification processes or that ask for payment information outside of Google’s official channels should also raise red flags.
Be cautious of duplicate functions: Be suspicious if the extension is replicating functionality already built into Chrome, as these often exist primarily to harvest user data. Extensions with generic names, poor grammar in their descriptions, or unprofessional-looking icons and screenshots indicate lower development standards and potentially higher security risks.
Install only from official stores: While not perfect, official browser stores offer significantly more security oversight than third-party sources or direct installation methods. Their layers of security screening include automated malware detection, manual code reviews for popular extensions, continuous monitoring for suspicious behavior, review systems, and developer verification processes.
Enable automatic updates and smart monitoring: Browser updates often include enhanced extension security and additional protection mechanisms that help detect and prevent malicious extension behavior. In addition, implement a monitoring system to identify extensions that update unusually frequently or at suspicious times, such as during periods you’re less likely to notice behavioral changes.
Deploy comprehensive protections: Integrate your browser extension security with broader security measures that can monitor extension behavior and detect suspicious activities such as unauthorized data access, unexpected network connections, or attempts to modify system files. These tools use behavioral analysis and machine learning to identify malicious patterns that might not be apparent through manual observation.
Secure your shopping and banking accounts: Your financial transactions and shopping activities represent high-value targets that need specialized protections. Consider using a dedicated browser for financial activities to isolate your transactions or temporarily disable extensions not related to security or privacy. Enable multi-factor authentication to prevent unauthorized access even if a malicious extension captures your primary login credentials.
Create a positive security routine: Establish straightforward security routines that include the measures listed above to ensure that your shopping, banking, and general browsing activities remain secure while still allowing you to benefit from the enhanced functionality that well-designed extensions provide.
Thankfully, Google continues to improve its security measures for the Chrome Web Store by implementing stricter review processes for extensions and enhancing its ability to detect and remove malicious extensions after they’ve been published. For additional protection, enable Chrome’s Enhanced Safe Browsing, under the browser’s Privacy and Security section.
Malicious browser extensions also pose similar threats across all major browser ecosystems, with attackers targeting the same vulnerabilities: excessive permissions, post-installation payload updates, and social engineering tactics.
Safari’s extension model, while more restrictive, still allows extensions to access browsing data and modify web content when you grant permissions. Microsoft Edge, built on Chromium, shares Chrome’s extension architecture and therefore inherits many of the same security challenges, though Microsoft has implemented additional screening measures for their Edge Add-ons store. Regardless of which browser you use, the fundamental protection strategies remain consistent.
Action plan if you’ve installed a malicious extension
If you suspect you’ve installed a malicious browser extension by mistake, speed matters in the race to protect your accounts. Follow this clear, step-by-step guide to remove the extension, secure your accounts, and check for any signs of compromise.
Immediately disconnect sensitive accounts: Sign out of all banking, shopping, and financial accounts you’ve accessed recently. Malicious extensions can capture session tokens and credentials in real-time, making immediate disconnection critical to prevent unauthorized access.
Remove the malicious extension completely: Open your browser settings and navigate to the Extensions or Add-ons section. Locate the suspicious extension and click “Remove” or “Uninstall.” Don’t just disable it. Check for related extensions that may have been installed simultaneously, as malicious extensions often come in bundles.
Clear all cookies and site data: Go to your browser’s privacy settings and clear all stored cookies, cached data, and site data to remove persistent tracking mechanisms or stored credentials the malicious extension may have accessed or modified. Pay special attention to clearing data from the past 30 days or since you first noticed suspicious activity.
Change all your passwords immediately: Start with your most sensitive accounts—banking, email, and work credentials—followed by all other accounts. Use strong, unique passwords that will make it difficult for the malicious extensions to attempt to access your accounts again. As mentioned earlier, enable multi-factor authentication.
Run a comprehensive security scan: Use reputable security software such as McAfee+ to perform full system scans on all devices where you’ve accessed sensitive accounts. Because malicious extensions can download additional malware or leave traces, it is best to schedule follow-up scans over the next few days to catch any delayed payloads.
Review all account activity thoroughly: Many malicious extensions operate silently for weeks before executing their primary payload. So keep monitoring your login history, transaction records, and changes in account settings across all your accounts, and look for any unauthorized transactions.
Set up account alerts: Set up automated account alerts for all transactions and closely monitor your bank and credit card statements for the next 60-90 days. Place fraud alerts with major credit bureaus if you suspect identity information may have been compromised.
Final thoughts
Browser extensions offer great functionality and convenience, but could introduce cybersecurity risks. With the right combination of smart browsing habits, regular security audits, and comprehensive protection tools, and staying informed, you can safely explore the web, manage your finances online, and shop without worry.
Make it a habit to question your intent to install a new extension, and download only from official browser stores. Review your installed extensions monthly—determine if each one still serves your needs. These practices, combined with keeping your browser and operating system updated, and employing trusted security software, reinforce your defense against evolving online threats. Remember to research any new browser extensions thoroughly before installation, checking developer credentials and reading recent user reviews to identify which browser extensions to avoid.
*EDITOR’S NOTE: Special thank you to the GitHub team for working with us on this research. All malicious GitHub repositories mentioned in the following research have been reported to GitHub and taken down.
Digital banking has made our lives easier, but it’s also handed cybercriminals a golden opportunity. Banking trojans are the invisible pickpockets of the digital age, silently stealing credentials while you browse your bank account or check your crypto wallet. Today, we’re breaking down a particularly nasty variant called Astaroth, and it’s doing something clever: abusing GitHub to stay resilient.
McAfee’s Threat Research team recently uncovered a new Astaroth campaign that’s taken infrastructure abuse to a new level. Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware configurations. When law enforcement or security researchers shut down their C2 infrastructure, Astaroth simply pulls fresh configurations from GitHub and keeps running. Think of it like a criminal who keeps backup keys to your house hidden around the neighborhood. Even if you change your locks, they’ve got another way in.
Key Findings
McAfee recently discovered a new Astaroth campaign abusing GitHub to host malware configurations.
Infection begins with a phishing email containing a link that downloads a zipped Windows shortcut (.lnk) file. When executed, it installs Astaroth malware on the system.
Astaroth detects when users access a banking/cryptocurrency website and steals the credentials using keylogging.
It sends the stolen information to the attacker using the Ngrok reverse proxy.
Astaroth uses GitHub to update its configuration when the C2 servers become inaccessible, by hosting images on GitHub which uses steganography to hide this information in plain sight.
The GitHub repositories were reported to GitHub and are taken down.
Key Takeaways
Don’t open attachments and links in emails from unknown sources.
Use 2 factor authentication (2FA) on banking websites where possible.
Keep your antivirus up to date.
Geographical Prevalence
Astaroth is capable of targeting many South American countries like Brazil, Mexico, Uruguay, Argentina, Paraguay, Chile, Bolivia, Peru, Ecuador, Colombia, Venezuela, and Panama. It can also target Portugal and Italy.
But in the recent campaign, it seems to be largely focused on Brazil.
Figure 1: Geographical Prevalence
Conclusion
Astaroth is a password-stealing malware family that targets South America. The malware leverages GitHub to host configuration files, treating the platform as resilient backup infrastructure when primary C2 servers become inaccessible. McAfee reported the findings to GitHub and worked with their security research team to remove the malicious repositories, temporarily disrupting operations.
Technical Analysis
Figure 2 : Infection chain
Phishing Email
The attack starts with an e-mail to the victim which contains a link to a site that downloads a zip file. Emails with themes such as DocuSign and resumes are used to lure the victims into downloading a zip file.
Figure 3: Phishing Email
Figure 4: Phishing Email
Figure 5: Phishing Email
JavaScript Downloader
The downloaded zip file contains a LNK file, which has obfuscated javascript command run using mshta.exe.
This command simply fetches more javascript code from the following URL:
To impede analysis, all the links are geo-restricted, such that they can only be accessed from the targeted geography.
The downloaded javascript then downloads a set of files in ProgramData from a randomly selected server:
Figure 6: Downloaded Files
Here,
”Corsair.Yoga.06342.8476.366.log” is AutoIT compiled script, “Corsair.Yoga.06342.8476.366.exe” is AutoIT interpreter,
“stack.tmp” is an encrypted payload (Astaroth),
and “dump.log” is an encrypted malware configuration.
AutoIt script is executed by javascript, which builds and loads a shellcode in the memory of AutoIT process.
Shellcode Analysis
Figure 7: AutoIt script building shellcode
The shellcode has 3 entrypoints and $LOADOFFSET is the one using which it loads a DLL in memory.
To run the shellcode the script hooks Kernel32: LocalCompact, and makes it jump to the entrypoint.
Figure 8: Hooking LocalCompact API
Shellcode’s $LOADOFFSET starts by resolving a set of APIs that are used for loading a DLL in memory.The API addresses are stored in a jump table at the very beginning of the shellcode memory.
Figure 9: APIs resolved by shellcode
Here shellcode is made to load a DLL file(Delphi) and this DLL decrypts and injects the final payload into newly created RegSvc.exe process.
Payload Analysis
The payload, Astaroth malware is written in Delphi and uses various anti-analysis techniques and shuts down the system if it detects that it is being analyzed.
It checks for the following tools in the system:
Figure 10: List of analysis tools
It also makes sure that system locale is not related to the United States or English.
Every second it checks for program windows like browsers, if that window is in foreground and has a banking related site opened then it hooks keyboard events to get keystrokes.
Figure 11: Hooking keyboard events
Programs are targeted if they have a window class name containing chrome, ieframe, mozilla, xoff, xdesk, xtrava or sunawtframe.
Many banking-related sites are targeted, some of which are mentioned below: caixa.gov.br
safra.com.br
Itau.com.br
bancooriginal.com.br
santandernet.com.br
btgpactual.com
We also observed some cryptocurrency-related sites being targeted:
etherscan.io
binance.com
bitcointrade.com.br
metamask.io
foxbit.com.br
localbitcoins.com
C2 Communication & Infrastructure
The stolen banking credentials and other information are sent to C2 server using a custom binary protocol.
Figure 12: C2 communication
Astaroth’s C2 infrastructure and malware configurationare depicted below.
Figure 13: C2 infrastructure
Malware config is stored in dump.log encrypted, following is the information stored in it:
Figure 14: Malware configuration
Every 2 hours the configuration is updated by fetching an image file from config update URLs and extracting the hidden configuration from the image.
Recently, we identified an active Android phishing campaign targeting Indian users. The attackers impersonate a government electricity subsidy service to lure victims into installing a malicious app. In addition to stealing financial information, the malicious app also steals text messages, uses the infected device to send smishing messages to user’s contact list, can be remotely controlled using Firebase and phishing website and malware was hosted in GitHub. This attack chain leverages YouTube videos, a fake government-like website, and a GitHub-hosted APK file—forming a well-orchestrated social engineering operation. The campaign involves fake subsidy promises, user data theft, and remote-control functionalities, posing a substantial threat to user privacy and financial security.
McAfee, as part of the App Defense Alliance committed to protecting users and the app ecosystem, reported the identified malicious apps to Google. As a result, Google blocked the associated FCM account to prevent further abuse. McAfee also reported the GitHub-hosted repository to GitHub Developer Support Team, which took action and already removed it from GitHub. McAfee Mobile Security detects these malicious applications as a high-risk threat. For more information, and to get fully protected, visit McAfee Mobile Security.
Background
The Government of India has approved the PM Surya Ghar: Muft Bijli Yojana on 29th February, 2024 to increase the share of solar rooftop capacity and empower residential households to generate their own electricity. The scheme provides for a subsidy of 60% of the solar unit cost for systems up to 2kW capacity and 40 percent of additional system cost for systems between 2 to 3kW capacity. The subsidy has been capped at 3kW capacity. The interested consumer has to register on the National Portal. This has to be done by selecting the state and the electricity distribution company. Scammers use this subsidy activity to create phishing websites and fake applications, stealing the bank account information of users who want to apply for this subsidy.
Technical Findings
Distribution Methods
This phishing operation unfolds in multiple stages:
YouTube Video Lure: The attackers upload promotional videos claiming users can receive “government electricity subsidies” through a mobile app. A shortened URL is included in the video description to encourage users to click.
Figure 1. YouTube video promoting the phishing URL
2. Phishing Website Imitation: The shortened URL redirects to a phishing website hosted on GitHub. it designed to closely resemble an official Indian government portal.
Figure 2. Phishing and official website
The phishing site has a fake registration process instruction, once the users believe this introduction, they will not have any doubts about the following processes. The phishing site also has a fake Google Play icon, making users believe it’s a Google Play app, but in reality, the icon points to an APK file on GitHub. When victims click the Google Play icon, it will download the APK from GitHub repository instead of accessing Google Play App Store.
3. GitHub-Hosted APK and Phishing page
Both the phishing site source and the APK file are hosted on the same GitHub repository—likely to bypass security detection and appear more legitimate. The repository activity shows that this malicious app has been continuously developed since October 2024, with frequent updates observed in recent weeks.
Figure 3. Malware repository in GitHub
Installation without network
The downloaded APK is not the main malicious component. Instead, it contains an embedded APK file at assets/app.apk, which is the actual malware. The initial APK serves only to install the embedded one. During installation, users are deceived into believing they are installing a “security update” and are prompted to disable mobile data or Wi-Fi, likely to reduce the effectiveness of malware detection solutions that use detection technologies in the cloud. But McAfee is still able to detect this threat in offline mode
Figure 4. Install a malicious APK without a network
According to the installation instructions, a malicious application will be installed. There are 2 applications that are installed on devices.
PMBY – The initial APK, it is used to install PMMBY.
PMMBY – Malware APK, it is installed under the guise of “Secure Update“
Figure 5. Application names and icons.
Malware analysis
PMMBY is an application that actually carries out malicious behavior—let’s delve into the concrete details of how it accomplishes this.
It requests aggressive permission when it is launched.
READ_CONTACTS – Read contacts list
CALL_PHONE – Make/manage phone calls
READ_SMS, SEND_SMS – View and send SMS messages
Notification access – For spamming or masking malicious actions
Figure 6. Aggressive permissions request
Fake UI and Registration Process
Once permissions are granted, the app displays a fake electricity provider selection screen. The message “To Get 300 Unit Free Every Month Please Select Your Electricity Provider From Below And Proceed” is shown in English and Hindi to prompt users to select their provider.
Figure 7. “SELECT YOUR PROVIDER” Activity
After selecting a provider, the app presents a fake registration form asking for the user’s phone number and a ₹1 payment to “generate a registration token.”
Figure 8. Registration Form
In this stage, malware creates a background task to send a https request to https[://]rebrand[.]ly/dclinkto2. The response text is https[://]sqcepo[.]replit[.]app/gate[.]html,https[://]sqcepo[.]replit[.]app/addsm[.]php. The string is split as 2 URLs.
UPI PIN URL – https[://]sqcepo[.]replit[.]app/gate[.]html. It will be used in “ENTER UPI PIN” process. When malware uses this URL, “gate.html” will be replace with“gate.hml”, so the loaded URL is https[://]sqcepo[.]replit[.]app/gate[.]htm.
SMS Uploaded URL – https[://]sqcepo[.]replit[.]app/addsm[.]php. SMS incoming messages are uploaded to this URL.
Figure 9. dclinkto2 request
In the stage of ”MAKE PAYMENT of ₹ 1“,victims are asked to use “UPI-Lite” app to complete the payment. In the “UPI-Lite” activity, victims enter the bank UPI PIN code.
Figure 10. The process of “ENTER UPI PIN”
UPI Credential Theft
UPI-Lite activity is a fake HTML-based form from https[://]sqcepo[.]replit[.]app/gate[.]htm.
Once submitted, the phone number, bank details, and UPI PIN are uploaded to https[://]sqcepo[.]replit[.]app/addup.php. After the attacker obtains this information, they can steal money from your bank account.
Figure 11. Post user’s banker information.
Malware Background Behaviors
In addition to stealing the financial and banking information from the user, the malware is also able to send distribution itself by sending a phishing message to the victim’s contact list, stealing user’s text messages probably to intercept 2FA codes and can be remotely controlled via Firebase.
Send mass phishing SMS messages to Indian users from the victims’ contacts list.
Figure 12. Send Phishing SMS message.
Upload SMS message to Server.
Malware has requested view SMS permission when it is launched. When it receives the incoming SMS message, it handles the message and posts below data to remote server(https[://]sqcepo[.]replit[.]app/addsm[.]php).
senderNum: The phone number of send the incoming message.
Message: The incoming SMS message.
Slot: Which SIM Slot to receive the message
Device rand: A random number was created during the first run to identify the device.
Figure 13. Post Incoming SMS message
Firebase as a Command Channel.
Attackers use FCM(Firebase Cloud Messaging) to send commands to control devices. According to the _type value, malware executes different commands.
Table1. Commands from FCM message
Figure 14. Commands from FCM message
Recommendations
To protect against such sophisticated attacks, users and defenders should take the following precautions:
Avoid downloading apps from unofficial websites:
Especially those offering benefits like subsidies, rewards, or financial aid.
Be cautious of apps that require disabling network connections:
This is often a red flag used to evade real-time antivirus scanning.
Carefully review app permissions:
Apps requesting contact access, SMS read/send or call permissions—without clear reason—should be treated as suspicious.
Use security software with SMS protection:
Enable permission alerts and use reputable mobile security apps to detect abnormal app behavior. McAfee’s Scam Detector as an additional protection for the smishing part.
Cybercriminals are using relevant themes like energy subsidies to trick users into providing financial information. This campaign demonstrates an integrated and stealthy attack chain. YouTube is used to distribute phishing link, GitHub is a reliable and legitimate website to using it to both distribute malicious APKs and serve phishing websites make it more difficult to identify and take it down, and malware authors can remotely update the phishing text messages to be more effective in tricking users into installing the malware via Firebase Cloud Messaging (FCM). With its self-propagation capabilities, financial data theft, and remote-control functions, it poses a serious risk. We will continue to monitor this threat, track emerging variants, and coordinate with relevant platforms to report and help take down associated infrastructure.
PDF converting software can be super helpful. Whether you’re turning a Word document into a PDF or merging files into one neat package, these tools save time and make life easier.
But here’s something many people don’t realize — some of these free PDF tools come with hidden baggage. When you install them, they might also sneak in a new search engine, browser extension, or change your homepage without clearly asking for permission. 
What’s Going On?
Some PDF software is bundled with extra programs. That means when you download and install the PDF converter, it may also install:
A new search engine in your browser
Toolbars or browser extensions
Apps that run in the background on your computer
Most of the time, these are not viruses, but they can slow down your computer, change your browsing experience, and even collect your data.
Geographical Customer Prevalence
The heat map below illustrates the prevalence of EPI PDF software in the field in Q2, 2025.
We see that the top country encountering this software is the United States of America with over 118,000 McAfee device encounters.
Why Do They Do This?
Many free software companies make money by including these extras. Other companies pay them to promote their search tools or browser extensions. It’s a way for them to earn something in return for offering the software for free.
During our daily hunt at McAfee to secure our customer, we came across one such bundler application called EPI PDF Editor that clearly had deceptive nature towards the end user.
Key Takeaways:
Read Before You Click “Next”
Always take a moment during installation to read what each screen says. Look for checkboxes that let you “opt out” of installing extra software.
Choose “Custom” or “Advanced” Installation
This gives you more control over what gets installed on your computer.
Download From Trusted Sources
Stick to well-known websites or the official site of the PDF software. Avoid shady download links from ads or pop-ups.
Use Built-In Tools
Many operating systems (like Windows or macOS) already have simple PDF features like printing to PDF or viewing files, so you might not need extra software at all.
Check Your Browser
If your homepage suddenly changes or you see a new search engine, go to your browser settings and change it back.
McAfee researches such applications proactively, and we review the EULA and Privacy Policy regularly for new applications.
Technical Analysis
EPI PDF Editor is distributed as an MSI installer. Upon launching, the installer window includes a pre-selected option to “Import your current browser settings into EPI PDF,” a choice that appears unrelated to the tool’s intended purpose of handling PDF documents. Unless the user actively opts out by unchecking the box, this action will continue automatically.
Installer Branding Mismatch
The installer is branded as “PDF Converter,” indicating that it is designed for typical PDF tasks such as viewing, converting, splitting, merging, and watermarking documents. However, the inclusion of an opt-out option to import browser settings raises questions about the application’s true functionality.
Figure 1: Import browser settings
Privacy Policy Conflict
A closer examination of the software’s Privacy Policy and Terms reveals a deceptive practice at play. Although the application is marketed as a PDF Converter, the legal documentation tells a different story. As shown in Figure 2, the Privacy Policy of the program—branded as EPIbrowser—explicitly defines the software as a browser designed for Windows-based devices. The screenshot displays both the EPIbrowser logo and the policy text, clearly indicating that the user is not installing a PDF tool, but rather a web browser disguised as one.
Figure 2: Application name in terms & conditions
Figure 3: Application meaning in terms
McAfee’s *PUP Policy states that Software installers must provide software licensing information prior to installing any bundled components.No ‘installation completed’ window pops up but instead, a chromium-based browser opens with a tab opened that too with deceptive behavior i.e. options are present to edit the opened pdf but no action being performed. We can browse the internet by opening other tabs.
Figure 4: Tab in EPI Browser
McAfee PUP policy violated here is, ”Installation: whether the user can make an informed decision about the software installation or add-ons and can adequately back out of any undesired installations.” Another suspicious behavior observed is install location i.e. from ‘Appdata/Temp’ instead of Program Files or Program Files(x86). Further while checking control panel we found that sample has created the entry with EPI Browser only and can be uninstalled. Due to its deceptive behavior, which aligns with the McAfee violation criteria, this application has been classified as a Potentially Unwanted Program (PUP).
The McAfee WebAdvisor browser extension warns users when attempting to navigate to websites known to distribute PUPs.
Figure 5: McAfee Web Advisor Warning
Bottom Line
Free PDF tools are useful — but be aware of what else might come with them. A few extra minutes of reading can save you from hours of frustration later.
Stay smart. Stay safe. And always know what you’re really installing.
In a digital world where convenience often comes at a hidden cost, it’s crucial to be vigilant about the software we install — especially free tools like PDF converters. As the case of EPI PDF Editor highlights, not all applications are what they claim to be. Deceptive installations, hidden browser hijackers, and unauthorized data collection can compromise both your privacy and your device’s performance. By staying informed and cautious — reading installation prompts, choosing advanced options, and relying on trusted sources — you can protect yourself from potentially unwanted programs and avoid falling into these traps.
At McAfee, our goal is to help users stay one step ahead of deceptive software. Awareness is your first line of defense. So, the next time you download a free tool, take a moment to think before you click. Because what seems like a simple installation could be opening the door to much more.
*PUP :- PUP stands for Potentially Unwanted Program that are used to deliver users some unwanted applications like ads, browser addon, search engine modification, extra programs that a user is generally using for daily purpose.
McAfee’s Mobile Research Team discovered a new Android malware campaign targeting Hindi-speaking users, mainly in India. The malware impersonates popular Indian financial apps, including SBI Card, Axis Bank, and IndusInd Bank, and is distributed through phishing websites that are continuously being created. What makes this campaign unique is its dual-purpose design: it steals personal and financial information while also silently mining Monero cryptocurrency using XMRig, which is triggered via Firebase Cloud Messaging (FCM). It also abuses user trust by pretending to be a legitimate app update from Google Play.
McAfee, as part of the App Defense Alliance committed to protecting users and the app ecosystem, reported the identified malicious apps to Google. As a result, Google blocked the associated FCM account to prevent further abuse. Also, McAfee Mobile Security detects all of these apps as High-Risk threats. For more information, visit McAfee’s Mobile Security page.
This campaign targets Indian users by impersonating legitimate financial services to lure victims into installing a malicious app. This is not the first malware campaign targeting Indian users. In the past, McAfee has reported other threats. In this case, the attackers take it a step further by using real assets from official banking websites to build convincing phishing pages that host the malware payload. The app delivered through these phishing sites functions as a dropper, meaning it initially appears harmless but later dynamically loads and executes the actual malicious payload. This technique helps evade static detection and complicates analysis.
Apart from delivering a malicious payload, the malware also mines cryptocurrency on infected mobile devices. When the malware receives specific commands via FCM, it silently initiates a background mining process for Monero (XMR). Monero is a privacy-focused cryptocurrency that hides transaction addresses, sender and receiver identities, and transaction amounts. Because of these privacy features, cybercriminals often use it to stay hidden and move illegal money without getting caught. Its mining algorithm, RandomX, is optimized for general-purpose CPUs, making it possible to mine Monero efficiently even on mobile devices.
Technical Findings
Distribution Methods
The malware is distributed through phishing websites that impersonate Indian financial services. These sites are designed to closely resemble official banking sites and trick users into downloading a fake Android app. Here are some phishing sites we found during our investigation.
Figure 1. Screenshot of a phishing website
These phishing pages load images, JavaScript, and other web resources directly from the official websites to appear legitimate. However, they include additional elements such as “Get App” or “Download” buttons, which prompt users to install the malicious APK file.
Dropper Analysis
When the app is launched, the first screen the user sees looks like a Google Play Store page. It tells the user that they need to update the app.
Figure 2. The initial screen shown by the dropper app
The app includes an encrypted DEX file stored in the assets folder. This file is not the actual malicious payload, but a loader component. When the app runs, it decrypts this file using XOR key and dynamically loads it into memory. The loaded DEX file contains custom code, including a method responsible for loading additional payloads.
Figure 3. First-stage encrypted loader DEX and XOR key
Once the first-stage DEX is loaded, the loader method inside it decrypts and loads a second encrypted file, which is also stored in the assets. This second file contains the final malicious payload. By splitting the loading process into two stages, the malware avoids exposing any clearly malicious code in the main APK and makes static analysis more difficult.
Figure 4. Second-stage malicious payload loaded by Loader class
Once this payload is loaded, the app displays a fake financial interface that looks like a real app. It prompts the user to input sensitive details such as their name, card number, CVV, and expiration date. The collected information is then sent to the attacker’s command-and-control (C2) server. After submission, the app shows a fake card management page with messages like “You will receive email confirmation within 48 hours,” giving the false impression that the process is ongoing. All features on the page are fake and do not perform any real function.
Figure 5. Fake card verification screen
Monero Mining Process
As mentioned earlier, one of this campaign’s key features is its hidden cryptomining functionality. The app includes a service that listens for specific FCM messages, which trigger for start of the mining process.
Figure 6. Firebase messaging service is declared in the manifest.
In the second-stage dynamically loaded code, there is a routine that attempts to download a binary file from external sources. The malware contains 3 hardcoded URLs and tries to download the binary from all of them.
Figure 7. Hardcoded URLs used by the malware to download a binary file
The downloaded binary is encrypted and has a .so extension, which usually indicates a native library. However, instead of loading it normally, the malware uses ProcessBuilder, a Java class for running external processes, to directly execute the file like a standalone binary.
Figure 8. Executing downloaded binary using ProcessBuilder
What’s particularly interesting is the way the binary is executed. The malware passes a set of arguments to the process that exactly match the command-line options used by XMRig, an open-source mining tool. These include specifying the mining pool server and setting the target coin to Monero.
Figure 9. XMRig-compatible arguments passed to the mining process
When the decrypted binary is executed, it displays log messages identical to those produced by XMRig. In summary, this malware is designed to mine Monero in the background on infected devices when it receives specific FCM messages.
Figure 11. Geographic distribution of infected devices
Telemetry shows that most infections are concentrated in India, which aligns with the campaign’s use of Hindi language and impersonation of Indian financial apps. A small number of detections were also observed in other regions, but these appear to be limited.
What makes this campaign notable is its dual-purpose design, combining financial data theft with background cryptomining, triggered remotely via Firebase Cloud Messaging (FCM). This technique allows the malware to remain dormant and undetected until it receives a specific command, making it harder for users and defenders to detect.
To stay protected, users are strongly advised to download apps only from trusted sources such as Google Play, and to avoid clicking on links received through SMS, WhatsApp, or social media—especially those promoting financial services. It is also important to be cautious when entering personal or banking information into unfamiliar apps. In addition, using a reliable mobile security solution that can detect malicious apps and block phishing websites can provide an added layer of protection against threats like this.
McAfee’s Mobile Research Team discovered a new and active Android malware campaign targeting Bengali-speaking users, mainly Bangladeshi people living abroad. The app poses as popular financial services like TapTap Send and AlimaPay. It is distributed through phishing sites and FacebookFacekbook pages, and the app steals users’ personal and financial information. The campaign remains highly active, with the command-and-control (C2) server operational and connected to multiple evolving domains. While the attack techniques are not new, the campaign’s cultural targeting and sustained activity reflect how cybercriminals continue to adapt their strategies to reach specific communities. McAfee Mobile Security already detects this threat as Android/FakeApp. For more information, visit McAfee Mobile Security.
Bangladeshi people living abroad, particularly in countries such as Saudi Arabia, the UAE, Malaysia, and the UK, rely heavily on mobile money services to send remittances and verify their identities for various purposes. Services like bKash, TapTap Send, and AlimaPay are widely used and trusted within this community.
In 2024, annual remittances sent to Bangladesh reached nearly $26.6 billion, ranking sixth globally and third in South Asia. This massive flow of cross-border funds highlights the economic importance and digital engagement of the Bangladeshi diaspora.
Figure 1. Top Recipients of Remittances in 2024 (Source: World Bank)
As more people use mobile financial apps, cybercriminals are finding new ways to trick them using fake apps and phishing websites. Many users trust apps shared by friends or family, and some may not know how to spot scams. This makes them easy targets for attackers.
In May 2025, McAfee’s Mobile Research Team identified a malware campaign designed to exploit these conditions. The fake Android app impersonates well-known money transfer services and steals personal information such as the user’s name, email address, phone number, and photo ID (such as a passport or national ID card). It also attempts to collect financial data like card numbers through fake in-app pages. Moreover, the C2 server’s storage is publicly exposed, meaning that the stolen data can be accessed by anyone, which significantly increases the risk of abuse.
Technical Findings
Distribution Methods
Over the past few weeks, these fake apps have continued to appear, suggesting an active and sustained campaign targeting Bengali-speaking users. These apps are primarily distributed through phishing websites that mimic trusted remittance services, often shared via fake Facebook pages.
Figure 2. Screenshot of a phishing website
The page is written entirely in Bengali, mimicking a legitimate remittance service commonly used by Bangladeshi expatriates. Below is a translated excerpt of the main message shown on the landing page:
Bengali (original):
আসসালামু আলাইকুম।
প্রবাসী ভাইদের জন্য সুখবর। যারা কাজের পাশাপাশি বাড়তি আয় করতে চান, তারা বিকাশ, ফ্ল্যাশলোড ব্যবসা করতে পারেন। সম্পূর্ণ বৈধ উপায়ে। আপনার হাতের মধ্যে রয়েছে মোবাইলের মাধ্যমে। মোবাইল ব্যাংকিং করুন খুব সহজেই।
English (translation):
Peace be upon you.
Good news for our brothers living abroad. If you’re looking to earn extra income along with your job, you can do business with bKash or FlashLoad in a completely legal way. Everything is within your reach through mobile. Mobile banking is very easy.
In addition to phishing websites, the attackers also created fake Facebook pages that closely resemble legitimate remittance services. These pages often reuse official logos, promotional images, and even videos taken from real financial platforms to appear trustworthy. However, the site links on these pages point to phishing websites hosting the malicious app.
Figure 3. Fake Facebook page mimicking a legitimate remittance service
Fake App Analysis
Once installed, the fake app immediately presents an interface that closely resembles a legitimate remittance application. It supports both Bengali and English language options and shows realistic-looking exchange rates.
Figure 4. Initial UI of the fake TapTap Send app
Users can select from a list of countries with large Bangladeshi expatriate populations, such as Maldives, Dubai, Oman, Saudi Arabia, Malaysia, Canada, and India, to simulate money transfers to Bangladeshi Taka (BDT). These details are likely included to establish trust and make the app appear functional. However, these screens serve as bait to encourage users to proceed with account creation and enter personal information. As users continue through the registration flow, the app requests increasingly sensitive data in multiple stages. First, it requests the user’s email address and full name. Then, it prompts them to select their country of residence and provide a valid mobile number. Next, users are asked to choose an account type, either “Personal” or “Agent”, a distinction commonly seen in real remittance platforms.
Figure 5. Multi-step registration flow (1)
Following this, the app reaches its most sensitive stage: it asks the user to take and upload a photo of an official ID, such as a passport, national ID (NID), or an e-commerce verification photo. This request is made in the local language and framed as a requirement to complete account setup. After uploading the ID, users are then asked to create a login password and a 5-digit PIN, just like real financial apps. This step makes the app feel more trustworthy and secure, but the collected credentials could later be used in credential stuffing attacks. All of this information is sent to the C2 server and stored, making it available for future fraud or identity theft.
Figure 6. Multi-step registration flow (2)
After completing the registration process, users are taken to a fully designed dashboard. The interface mimics a real financial or remittance app, complete with icons for money transfer, bill payment, mobile banking, and even customer support features.
Figure 7. The fake TapTap Send app’s main dashboard
The malware includes multiple fake transaction interfaces. These screens simulate mobile money transfers, bill payments, and bank transfers using logos from real services. Although no actual transaction is performed, the app collects all entered information such as phone numbers, account details, PINs, and payment amounts. This data is then transmitted to the C2 server.
Figure 8. Fake transaction screens that imitate real financial services
C2 Server and Data Exfiltration
All the information collected by the fake app, including credentials, contact details, and photo IDs, is stored on the C2 server. However, the server lacks basic security settings. Directory listing is enabled, which means anyone can access the uploaded files without authentication. During our investigation, we found that one of the C2 domains contained 297 image files. These files appear to be photo IDs uploaded by users during the registration process.
Figure 9. Publicly accessible directory listing on the C2 server
These ID images include highly sensitive personal information and are publicly accessible. If downloaded or misused, they could pose a serious privacy and identity theft risk.
Figure 10. Example of a sensitive photo ID image uploaded during app registration
Figure 11. Geographic distribution of infected devices
As expected, telemetry shows activity in countries with large Bangladeshi populations abroad, such as Saudi Arabia, Malaysia, Bangladesh, and the United Arab Emirates. This aligns with the app’s targeting of Bengali-speaking users through culturally familiar language and visuals. The campaign remains active, with new phishing domains and variants continuing to appear. Given the evolving nature of this threat and its use of trusted platforms like Facebook to distribute malicious content, users should stay cautious when encountering financial service promotions through social media or unknown websites. We recommend downloading apps only from trusted sources such as Google Play, avoiding links shared via social media, and being extra careful when asked to provide personal or banking information. Using mobile security software that can detect and block these threats is also strongly advised.
Login
