Android RAT Campaign Abuses Hugging Face to Mass-Distribute Polymorphic Financial Malware
Researchers have uncovered an active Android malware campaign that abuses Hugging Face infrastructure to host and distribute thousands of malicious APK variants, exploiting the platform’s reputation as a trusted developer resource. The operation begins with a scareware-style dropper app, most recently branded as TrustBastion, which is promoted via deceptive ads claiming the victim’s device is infected and in need of urgent protection. After installation, the app presents a fake Google Play–style update prompt and redirects victims to Hugging Face dataset repositories, where the final RAT payload is delivered through the platform’s CDN. Analysis shows the threat actor employs aggressive server-side polymorphism, generating new APK builds approximately every 15 minutes, resulting in more than 6,000 payload variants in under a month. Although repositories are periodically taken down, the campaign quickly resurfaces under new app names such as Premium Club, while retaining the same core malware code. This approach allows attackers to evade hash-based detection while maintaining scale and persistence. Once installed, the second-stage payload functions as a full-featured Android remote access trojan that heavily abuses Accessibility Services under the guise of “phone security” features. With these permissions, the malware can capture screenshots, inject overlays, simulate user interactions, block uninstallation attempts, and continuously monitor device activity. The RAT deploys phishing overlays impersonating financial platforms such as Alipay and WeChat to harvest credentials, and attempts to steal device lock-screen PINs. Stolen data, screenshots, and telemetry are exfiltrated to a centralized command-and-control server that also pushes configuration updates and fake in-app content to maintain legitimacy. Mitigation requires users to avoid sideloaded apps, scrutinize permission requests, especially Accessibility access, and for organizations to deploy mobile threat defense solutions capable of detecting behavioral indicators rather than relying solely on static signatures.
UAT-8099 Adopts Region-Specific BadIIS Variants to Sustain IIS-Based SEO Fraud
Cisco Talos has identified renewed activity from UAT-8099 between late 2025 and early 2026, targeting Internet Information Services (IIS) servers across Asia, with a concentrated focus on Thailand and Vietnam. The campaign shows strong operational overlap with the previously documented WEBJACK activity, including shared malware, command-and-control infrastructure, victimology, and gambling-focused SEO fraud objectives. UAT-8099 continues to rely on web shells and PowerShell for post-exploitation, while deploying tools such as SoftEther VPN, EasyTier, and GotoHTTP to maintain remote control over compromised servers. The actor has expanded its toolset with log-clearing utilities, file-hiding software, and kernel-level tools to evade security controls and extend dwell time. A notable evolution in this activity is the shift away from global opportunistic abuse toward deliberate, geographically scoped operations. Talos observed multiple new BadIIS variants customized for specific regions, with country indicators hardcoded into the malware to control behavior based on language, file paths, and request headers. These variants selectively hijack IIS request handling to redirect search engine crawlers or inject malicious JavaScript only when conditions such as “Accept-Language” and dynamic page extensions match targeted regions, enabling effective SEO fraud while minimizing operational noise. Additional variants introduce extension filtering, directory index validation, XOR-obfuscated C2 configuration, and dynamic HTML template generation to further refine targeting and evade detection. Talos also identified a Linux ELF version of BadIIS that exhibits proxy, injector, and SEO fraud modes, consistent with earlier UAT-8099 activity. Organizations should prioritize patching exposed IIS servers, audit for unauthorized local accounts and malicious IIS modules, and monitor for anomalous SEO manipulation and post-exploitation tooling indicative of this campaign.
Malicious Open VSX Extension Raises Fears of a Dormant Supply-Chain Worm
A new malicious extension has been discovered in the Open VSX marketplace masquerading as a legitimate Angular Language Service, highlighting growing concerns that the next large-scale worm may originate from developer tooling rather than traditional package repositories. The extension remained publicly available for roughly two weeks and surpassed 5,000 downloads before being weaponized, blending authentic Angular and TypeScript dependencies with a hidden, encrypted loader. Once activated by opening HTML or TypeScript files, the extension decrypts and executes malicious code using AES-256-CBC, granting it full access to the local VS Code and Node.js environment. The campaign leverages a novel command-and-control mechanism that retrieves instructions from Solana blockchain transactions, a technique known as etherhiding. This approach provides resilience, anonymity, and takedown resistance by embedding encoded payload URLs in immutable blockchain memo fields. Analysts warn that this model allows attackers to silently wait for scale before triggering widespread compromise. The decrypted payload demonstrates a strong focus on developer-centric theft, including harvesting NPM and GitHub credentials, validating stolen tokens in real time, and extracting data from more than 60 cryptocurrency wallet applications. Additional functionality includes browser process termination to unlock credential stores, persistence through scheduled tasks and registry keys, and encrypted native module execution designed to evade endpoint detection. The malware employs geofencing logic to avoid execution on Russian-language systems, a pattern commonly associated with Russian-speaking threat actors. Exfiltrated data is compressed and sent to external command servers, with fallback infrastructure dynamically discovered via Google Calendar links if primary endpoints are blocked. The use of blockchain-based C2, encrypted multistage loaders, and trusted extension marketplaces significantly raises the risk of stealthy supply-chain propagation. Defenders should aggressively audit installed extensions, restrict marketplace sources, and monitor developer environments for anomalous credential access and blockchain-based network lookups indicative of this activity.
Top CVEs of the Week
Top CVEs of the Week - As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
