Albiriox: Rapidly Evolving Android Banking Malware-as-a-Service
Albiriox is a newly emerging Android banking malware family operating as a Malware-as-a-Service, first spotted in September 2025 and now actively sold on Russian-language cybercrime forums. It uses staged delivery via SMS phishing to lead victims to fake app pages, which install a dropper that deploys the main payload. Once installed, the malware immediately abuses Android’s “Install Unknown Apps” permission and activates accessibility-based controls to gain full device access. Its capabilities include remote screen streaming, full UI manipulation, and credential theft through generic overlay templates. More than 400 banking, fintech, and cryptocurrency apps are hardcoded as targets, indicating preparation for large-scale global fraud operations. The malware also integrates evasion techniques through a custom builder that uses encryption services to bypass static detection. Albiriox enables full-on-device fraud by allowing attackers to perform real-time actions within legitimate apps, including initiating transfers, approving authentication prompts, and masking activity behind black-screen overlays. Its VNC-style remote access module lets threat actors navigate the device exactly as a user would, circumventing server-side security controls that rely on device reputation or behavioral checks. Early campaigns show highly localized targeting, such as German-language lures in Austria, suggesting affiliates are customizing infrastructure for regional operations. The malware supports continuous communication with its command server through structured JSON messages and a persistent heartbeat, ensuring stable remote sessions during fraud attempts. Its rapid development cycle and growing feature set indicate that the operators plan to scale distribution quickly now that the public MaaS offering is live. Mobile users should avoid sideloaded apps, restrict access to permissions, and enable strong MFA, while financial institutions should adopt behavioral detection tuned to on-device fraud patterns.
APT36 Expands Espionage Operations With Linux-Focused Tooling Targeting Indian Government Systems
APT36 has initiated a targeted espionage campaign leveraging weaponized [.]desktop files to compromise BOSS Linux systems across Indian government networks. The operation uses spear-phishing emails to deliver shortcuts disguised as benign documents that download a decoy PDF while silently installing ELF malware and a supporting shell script. The payload establishes persistence through systemd user services and deploys a PyInstaller-based Python RAT designed for cross-platform execution. This implant enables remote command execution, file exfiltration, screenshot capture, and dynamic Python code execution, giving operators full control of compromised hosts. The campaign reflects a deliberate expansion of APT36’s tooling to align with indigenous Linux deployments inside Indian government environments. Taken together, this shows a marked increase in the group’s operational maturity and its ability to adapt to platform diversity. Infrastructure analysis reveals attacker-controlled domains and IPs consistent with short-lived, disposable assets often seen in state-aligned espionage operations. The RAT communicates with its C2 via structured HTTP POST requests and maintains an uninterrupted command-polling loop to execute operator tasks with minimal forensic trace. Persistence techniques vary between Linux and Windows systems, demonstrating a hybrid capability set intended for broad operational reach. The group’s use of encoded payloads, staged execution, and desktop-file-based masquerading improves stealth and complicates detection across standardized Linux deployments. This activity underscores APT36’s strategic intent to maintain long-term intelligence collection inside Indian government environments. Defenders should prioritize controls that monitor execution of .desktop files, unknown ELF binaries, and outbound communications to suspicious infrastructure.
Tomiris: Multi-Language Tooling and Public-Service C2 in Operations Against Government and IGO Targets
Tomiris has expanded its operations with a campaign targeting foreign ministries, IGOs, and government networks across Russia and Central Asia. The actor has shifted toward stealth-focused tradecraft by embedding command-and-control communications into public services, including Telegram and Discord, allowing malicious traffic to blend with legitimate service usage. Initial access relies on password-protected phishing archives containing executables disguised as documents, which deploy reverse shells written in Rust, Go, Python, PowerShell, and C/C++. These first-stage implants perform reconnaissance, establish persistence, and fetch post-exploitation frameworks including Havoc and AdaptixC2. Filename patterns, lure themes, and propagation methods align with historical Tomiris operations, supporting high-confidence attribution. After establishing a foothold, operators conduct hands-on keyboard activity to deploy additional implants and expand control across compromised environments. The group’s tooling includes Telegram- and Discord-controlled backdoors, Python file grabbers, multi-language reverse shells, and customized reverse SOCKS proxies that enable covert lateral movement. These modules provide broad operator capabilities, including command execution and data harvesting, screenshot capture, and remote payload deployment, all designed to maintain resilient access while minimizing detection. Tomiris’ 2025 activity reflects a continued evolution toward modular malware ecosystems and public-service C2 channels, reinforcing the actor’s focus on long-term persistence and strategic intelligence collection inside government networks. Organizations should enforce strict attachment controls, monitor for Telegram/Discord-based C2 traffic, deploy behavioral EDR capable of detecting multi-language reverse shells, and block outbound connections to newly registered or anomalous cloud service endpoints to disrupt Tomiris’ toolchain and persistence mechanisms.
